Troubleshooting Group Policy Using Event Logs - Group Policy - All you wanted on one post - Site Home. Group Policy Event Log Improvements.
How to filter event log more efficiently. MSDN Blogs >. Manual processing of policy failed for computer fabrikam \PC1$ in 243 seconds. Manual processing of policy failed for computer fabrikam \pc1$ in 243. Troubleshooting Group Policy Using Event Logs. Computer Policy Processing. The Group Policy service logs this event when an instance of user Group Policy processing, triggered by a manual refresh. Group Policy Application Failure. 7004, Source: Group Policy Manual processing of policy failed for computer. that allows you to determine what domain controller is providing group policy for both the computer.
Windows Vista provides a new centralized event logging system and Event Viewer. Features such as cross- log querying, scheduled task integration, and page support in filtered views make the Event Viewer the ideal tool to view the health of the computer and the health of Group Policy. Earlier instances of Group Policy used the event source name "Userenv". Earlier versions of Windows shared this source name with other components. This made it difficult to identify events specific to Group Policy.
Also, when troubleshooting, the information provided by Group Policy events added little value. In Windows Vista, Group Policy writes all event and logging information to the Event Viewer and uses a source name of "Group Policy." This makes it easier to locate events relevant to Group Policy. Additional improvements were made by updating the details of each event. These improvements include better explanations of the event in the event description, possible causes, and suggested followup actions.
You can locate Group Policy events in the System event log and the Group Policy operational event log. How to Start the Event Viewer. System event log. You use the System event log to view events logged by Windows and Windows Services. Windows categorizes these events as error, warnings, and informational events. The Group Policy service logs administrative events in the System log.
Administrative events help you determine the initial state of Group Policy processing. These events appeared in the Application log on earlier versions of Windows. To start Event Viewer. Click Start. 2. Click Control Panel. Click System and Maintenance.
Click Administrative Tools. Double- click Event Viewer. Group Policy operational log. The Group Policy operational log provides you a view of the work the Group Policy service performs before and during Group Policy processing. Earlier versions of Windows provided this same functionality by using userenv logging. However, other Windows components shared this log file, which created information unrelated to Group Policy.
Additionally, entries found in userenv log files were ambiguous, confusing, and usually required an advanced technical understanding of Group Policy. The Group Policy operational log replaces the userenv log file and provides comprehensive and detailed event descriptions than its predecessor. To view the Group Policy operational log. Start the Event Viewer.
Click the arrow next to Applications and Services Logs. Click the arrow next to Microsoft, and then Windows, and then Group Policy. Click Operational. Troubleshooting Group Policy Using Event Logs. Using the Event Viewer.
You can use the Event Viewer to isolate the cause of most Group Policy failures. Windows Vista provides a new user interface for the Event Viewer. You should familiarize yourself with the new Event Viewer and where you locate information related to Group Policy processing. The following section shows you the location of information you will use when troubleshooting Group Policy.
Why gpupdate fails? Computer policy could not be updated successfully. The processing of Group Policy failed.
- The processing of Group Policy Failed. The processing of Group Policy failed. Windows could not determine the computer account to enforce Group Policy settings. The processing of Group Policy failed.
- The processing of Group Policy failed. Group Policy applies during computer startup and user logon. Group Policy Preprocessing (Active Directory).
- 7000 Error The Group Policy service logs this event when an instance of computer Group Policy processing. 7004 Error The Group Policy service logs. of user Group Policy processing, triggered by a manual.
General tab. Figure 1 The General tab of a Group Policy event as seen using the Event Viewer. Description: Contains text that describes the logged event. Group Policy events usually contain information describing the events, possible reasons why the event occurred, and suggested followup actions. Source: The name of the software that logs the event. Group Policy events always use the source of "Group. Policy."Event ID: A numerical ID representing the type of event logged.
Administrative events in the System event log and the Group Policy operation event log use event ids. You can find more information about specific Group Policy events and event IDs in the appendices of this document. Level: Classifies the severity of an event. Group Policy events use Error, Informational, and Warning event levels. User: The name of the user account that triggered the logged event.
The Group Policy service uses the name SYSTEM for recording events related to computer policy processing. User policy processing events use the name of the user who is processing policy. Logged: The date and local time when the event logging system logged the event. Group Policy in Windows Vista has the opportunity to refresh more often. When troubleshooting Group Policy, make sure the events you are viewing match the time of the reported problem.
Computer: The name of the computer on which the event occurred. More Information: A hyperlink to the Microsoft Tech. Net Web site. Clicking this link provides you with information about the event, possible causes for the event, and suggestions that may resolve the issue, if the event is a warning or error. Details tab. The Event Logging system in Windows Vista records each event using XML. This allows the Group Policy service to record additional information about each event.
This information is useful for troubleshooting Group Policy; however, you cannot see the information from the General tab. Therefore, you use the Details tab to view the additional information. The Details tab provides two views to this data: XML view and Friendly view. The XML view displays the additional event data in raw XML and is difficult to read. The Friendly view displays this same data in an expandable, easy to read, hierarchical view. You will use the Friendly view when you need to view this additional data.
System and Event. Data nodes. The Friendly view of an event message has two nodes: System and Event.
Data. The Group Policy service writes information in both nodes. The following section describes important fields included in the Friendly view that you use when troubleshooting Group Policy. Figure 2 The Details tab of a Group Policy event as seen using the Event Viewer. System\Correlation: Activity. IDThe Activity. ID represents one instance of Group Policy processing. The Group Policy service creates a unique Activity. ID each time Group Policy refreshes.
For example, a computer processes Group Policy during startup. At that time, the Group Policy service assigns that instance of processing an Activity. ID. Further events logged during that instance use the same Activity. ID until that instance of Group Policy processing completes (Group Policy processing completes when the process ends either successfully or with errors). Users process Group Policy during the logon process.
Again, the Group Policy service assigns a unique Activity. ID to that instance of Group Policy processing and uses it until processing completes. This behavior repeats for each new instance of Group Policy processing, which includes automatic and forced Group Policy refreshes. You can view this value on all Group Policy events. Event. Data\Policy.
Activity. IDThis is the same value as the System\Correlation: Activity. ID. The Group Policy service uses this value to identify an instance of Group Policy processing. You can view this value in policy start events (4. Event. Data\Principal. Sam. Name. This value contains the name of the security principal to which the Group Policy service applies, the name of the computer during computer policy processing, and the name of the user during user policy processing.
The event displays the format as domainname\computer or domainname\user. This information appears in policy start events (4. Event. Data\Is. Domain. Joined. This value is True when the computer is a member of a domain and False when not. You can view this value on policy start events (4. Event. Data\Is. Backgound. Processing. This value is True when the Group Policy service applies policy settings in the background.
Otherwise, this value is False. When this value and the Is. Async. Processing are False, then the Group Policy service applies policy settings synchronously in the foreground. You can view this value on policy start events (4.
Event. Data\Is. Async. Processing. This value is True when the Group Policy service applies policy setting asynchronously in the foreground. Otherwise, this value is False.
When this value and the Is. Background. Processing are False, then the Group Policy service applies policy settings synchronously in the foreground. You can view this value on policy start events (4. Event. Data\Policy. Application. Mode.
The Group Policy service records the type of Group Policy processing in the Policy. Application. Mode field.
The Policy. Application. Mode field is one of three values. Those values are: Value.
Explanation. 0Background processing: The instance of Group Policy processing occurring after the initial instance of Group Policy processing. Background processing occurs when the Group Policy service refreshes.
For example, The Group Policy service periodically refreshes Group Policy every 9. Synchronous Foreground processing: Foreground processing is the instance of policy processing that occurs at computer startup and user logon. Synchronous foreground processing is when the processing of computer Group Policy must complete before Windows displays the logon dialog box, and user Group Policy processing, which happens during user logon, must complete before Windows displays the user's desktop. Asynchronous Foreground processing: Asynchronous Foreground processing is the instance of Group Policy processing that occurs at computer startup and user logon. However, Windows does not wait for computer Group Policy processing to complete before displaying the logon dialog box. Additionally, Windows does not wait for user Group Policy processing to complete before displaying the user's desktop.
Event. Data\Policy. Processing. Mode. You use the Policy. Processing. Mode field to determine the presence of loopback processing and whether loopback processing is in Merge or Replace mode. Value. Explanation.
Normal Processing mode: Loopback is not enabled. Loopback Merge mode: Loopback processing is enabled. The Group Policy service merges user settings within the scope of the computer with user settings within the scope of the user.