Troubleshooting Windows 7 Group Policy

Last month, we talked about “

Group Policy Troubleshooting

.” That is, we explored some basic areas for you to check out and make sure YOU weren’t the cause of some kind of problem which prevented Group Policy from processing.

This month, we’ll talk about opening up the Windows 7 areas which can expose what Group Policy “thinks” it’s doing, to help you get a handle on where something might actually be going wrong.

One of the big misunderstandings of Group Policy is that most of the problems don’t occur on the server, but rather on the client machine. Sure, sure. Problems CAN happen on the server due to replication issues. But Group Policy’s usual problems are most often found on a client machine.

So to get started, you’ll want to be on the client of a problem machine. Then, right-click over Computer and go to Manage as seen in Figure 1. If you’re not logged in with Administrator credentials, be sure to provide them into any User Account Control prompt you might get.

!http://community-downloads.quest.com/smbimages/0811moskowitzfigure-01.png|alt=|src=http://community-downloads.quest.com/smbimages/0811moskowitzfigure-01.png! Figure 1

Once you’re in the Computer Management you’ll want to head to the Windows System log by diving down into Computer Management | Event Viewer | System as seen in Figure 2.

You’ll start your hunt by looking for Group Policy events, also seen in Figure 2.

!http://community-downloads.quest.com/smbimages/0811moskowitzfigure-02.png|alt=|src=http://community-downloads.quest.com/smbimages/0811moskowitzfigure-02.png! Figure 2

Opening up an event can be pretty enlightening as seen in Figure 3. For instance, in this instance, my client’s clock was out of sync from the domain controller, and, hence, couldn’t receive the latest Group Policy settings.

It’s an easy to understand problem – and one that’s easy to fix! Usually a reboot will force the client to find the Domain Controller, and re-get the latest time. Problem solved !

!http://community-downloads.quest.com/smbimages/0811moskowitzfigure-03.png|alt=|src=http://community-downloads.quest.com/smbimages/0811moskowitzfigure-03.png! Figure 3

You can also quickly sort on the Source column for Group Policy Events and see all the events – some interesting, and not so interesting. Indeed, any “Good News” in Group Policy can be quickly found as well, such as the last time Group Policy applied and how many Group Policy Objects were processed during the last cycle.

If, however, the System Log doesn’t give you what you’re after, you can hunt for even more information in what’s called Group Policy Operational log. That’s found under Applications and Services Logs | Microsoft | Windows | Group Policy | Operational, as seen in Figure 4.

!http://community-downloads.quest.com/smbimages/0811moskowitzfigure-04.png|alt=|src=http://community-downloads.quest.com/smbimages/0811moskowitzfigure-04.png! Figure 4

It’s easy to get overwhelmed in this log, because there can be thousands of events. Don’t Panic!

You’re not looking at errors or bad news. You’re sort of reading the brain dump of the Group Policy engine and figuring out what it was doing at any point in time.

Indeed – if there was some sort of “big Group Policy failure” you would likely see the cause of the error here. Perhaps a disconnected network, unavailable Domain Controller, or some other kind of failure where the client was unable to download Group Policy.

What you get here is all the step by steps of what occurred before the failure, so you can trace what happened and just maybe some advice on how to fix it.

Those are my top locations to inspect when I’m working on a gnarly Group Policy problem to troubleshoot.

Hope this helps you out.

About the Author