Windows Vista: Group Policy Logging

Although the bulk of Group Policy Processing and Troubleshooting is handled by our Directory Services team, we often collaborate on these issues - mainly when the issue relates to a user logging in and not being presented with their desktop environment as they would expect.  Instead they are simply presented with a blank background (usually […]

Although the bulk of Group Policy Processing and Troubleshooting is handled by our Directory Services team, we often collaborate on these issues - mainly when the issue relates to a user logging in and not being presented with their desktop environment as they would expect.  Instead they are simply presented with a blank background (usually blue!) with no icons.  It's not the dreaded "Blue Screen of Death" - it's a blue screen of, well ... nothing.  Usually we will troubleshoot this by turning on debug logging for Group Policies to capture a Userenv.log to figure out if the basic shell (explorer.exe) is even being called.

However, in Windows Vista, the Group Policy engine no longer records information in the userenv.log.  Instead, detailed logging of Group Policies can be located using Event Viewer.  The log for group policy processing can be found in the Event Viewer under Applications and Services Logs\Microsoft\Windows\Group Policy\Operational - a sample is shown below.

As you can see, each of the policy processing events that occur on the client are logged in this event viewer channel.  This is an administrator-friendly replacement for the userenv.log.  When looking at these events in the event viewer, there are some event ranges to be aware of:

RangeMeaning
4000 - 4299Scenario Start Events
5000 - 5299Corresponding Success Scenario End Events (scenario start event + 1000)
5300 - 5999Informational Events
6000 - 6299Corresponding Warning Scenario End Events (scenario start event + 2000)
6300 - 6999Warning Events (Corresponding Informational Event + 1000)
7000 - 7299Corresponding Error Scenario End Events (Scenario Start Event + 3000)
7300 - 7999Error Events (Corresponding Informational Event + 2000)
8000 - 8999Policy Scenario Success Events

Administrative events relating to Group Policy are still logged in the System Event Log, similar to pre-Windows Vista platforms.  The difference is that the event source for the event is now Group Policy instead of USERENV.  In Windows Vista, the Group Policy script processing errors are also now logged through the same mechanism as the rest of the Group Policy errors.

And that brings us to the end of this quick post on Group Policy Logging on Windows Vista.  Until next time ...

Additional Resources:

Source:→ Performance Team Blog

Windows Vista, GPO, Group Policy, Troubleshooting