Fixing Group Policy problems by using log files

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

This topic provides information related to troubleshooting Group Policy problems by using log files.

Troubleshooting Group Policy by Using Log Files

If other tools do not provide the information you need to identify the problems affecting Group Policy application, you can enable verbose logging and examine the resulting log files. Verbose logging can reduce performance and consume significant disk space, so as a best practice enable verbose logging only when necessary.

For example, enabling Userenv.dll logging allows administrators to view information about what occurs in the background when a user logs on to the computer. Userenv.dll is part of the code of the Group Policy engine and is always called whenever policy settings are processed.

Client Log Files

Log files can be generated by the core client engine (Userenv) and by every CSE except the Scripts CSE. Scripts processing is logged in the Application log on the client with source=UserInit. Use Event Viewer to view the Application log on the client, or look for these entries on the Policy Events tab of the Group Policy Results report.

The Policy Events tab in Group Policy Results reports generated in GPMC displays the Group Policy–related events that you would see if you used Event Viewer to view these events in the Application log on the client for which you generated the report.

The following table lists several log files you can generate at the client that relate to Group Policy troubleshooting.

Client Log Files for Troubleshooting Group Policy

Output from: Is located in this file: Enable verbose logging by adding this key or value… …to this registry key

Group Policy core (UserEnv) and registry CSE

%windir%\debug\usermode
\UserEnv.log

UserEnvDebugLevel = REG_DWORD 30002

HKEY_LOCAL_MACHINE
\Software
\Microsoft
\Windows NT
\CurrentVersion
\Winlogon

Security CSE

%windir%\security\logs
\winlogon.log

ExtensionDebugLevel = REG_DWORD 0x2

HKEY_LOCAL_MACHINE
\Software
\Microsoft
\Windows NT
\CurrentVersion
\Winlogon
\GpExtensions
\{827d319e-6eac-11d2-a4ea-00c04f79f83a}\

Folder Redirection CSE

windir%\debug\usermode
\fdeploy.log

FdeployDebugLevel = Reg_DWORD 0x0f

HKEY_LOCAL_MACHINE
\Software
\Microsoft
\Windows NT
\CurrentVersion
\Diagnostics

Software Installation CSE

%windir%\debug\usermode
\appmgmt.log

Appmgmtdebuglevel=dword:0000009b

HKEY_LOCAL_MACHINE
\Software
\Microsoft
\Windows NT
\CurrentVersion
\Diagnostics

Windows Installer
(deployment-related actions)

%windir%\temp
\MSI*.log

Logging = voicewarmup

Debug = DWORD: 00000003

HKEY_LOCAL_MACHINE
\Software
\Policies
\Microsoft
\Windows
\Installer

Windows Installer
(user-initiated actions)

%temp%
\MSI*.log

Logging = voicewarmup

Debug = DWORD: 00000003

HKEY_LOCAL_MACHINE
\Software
\Policies
\Microsoft
\Windows
\Installer

Note

The UserEnv logs entries pertaining to profiles as well as Group Policy core processing and registry (.adm) processing on the client. The entries pertaining to profiles are intermingled with the Group Policy entries and not easily distinguished from them. Use Wilogutl.exe to analyze the Windows Installer log files. For more information, see Wilogutl.exe on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkID=16156).

Server Log Files

You can enable logging of events generated by the Group Policy Object Editor on the Server. There are two different log files, one for events relating to core Group Policy processing and the registry CSE, and another for events relating to all other CSEs.

The following table lists several log files you can generate at the server that relate to Group Policy troubleshooting.

Server Log Files for Troubleshooting Group Policy

Output from: Is located in this file: Enable verbose logging by adding this keyword… …to this registry key

GPMC:
error logging only

%temp%\gpmgmt.log

gpmgmttracelevel=1

HKEY_LOCAL_MACHINE
\Software
\Microsoft
\Windows NT
\CurrentVersion
\Diagnostics

GPMC:
error and verbose logging

%temp%\gpmgmt.log

gpmgmttracelevel=2

HKEY_LOCAL_MACHINE
\Software
\Microsoft
\Windows NT
\CurrentVersion
\Diagnostics

GPMC:
Output only to log file (not to debugger)

%temp%\gpmgmt.log

gpmgmtlogfileonly=1

HKEY_LOCAL_MACHINE
\Software
\Microsoft
\Windows NT
\CurrentVersion
\Diagnostics

Group Policy Object Editor:
Core-specific entries

%windir%\debug\usermode
\gpedit.log

GPEditDebugLevel = REG_DWORD 0x10002

HKEY_LOCAL_MACHINE
\Software
\Microsoft
\Windows NT
\CurrentVersion
\Winlogon

Group Policy Object Editor:
CSE-specific entries

%windir%\debug\usermode

\gptext.log

GPTextDebugLevel = REG_DWORD 0x10002

HKEY_LOCAL_MACHINE
\Software
\Microsoft
\Windows NT
\CurrentVersion
\Winlogon

Userenv Logging

Because Userenv tracks the Group Policy engine and registry-based Group Policy, it is the most frequently used log file for Group Policy troubleshooting. Userenv is especially useful in a Windows 2000 environment because you don't have the benefit of using Resultant Set of Policy (RSoP). Most of the questions that RSoP answers, are in the userenv log.

To use userenv.log you need to first enable verbose logging.

To enable verbose logging

  1. Log onto the client computer as the administrator and run Regedit.

  2. Locate the following key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon.

  3. Right click Winlogon, select New, and then click DWORD Value.

  4. Enter the following name for the DWORD Value: UserEnvDebugLevel.

  5. Enter 30002 as the hexadecimal value. This writes the userenv into userenv.log, located in the \%windir%\debug directory.

  6. Run "gpupdate /force" to ensure a full listing of total Group Policy processing.

See Also

Other Resources

Microsoft Group Policy Home Page