Although the bulk of Group Policy Processing and Troubleshooting is handled by our Directory Services team, we often collaborate on these issues - mainly when the issue relates to a user logging in and not being presented with their desktop environment as they would expect. Instead they are simply presented with a blank background (usually blue!) with no icons. It's not the dreaded "Blue Screen of Death" - it's a blue screen of, well ... nothing. Usually we will troubleshoot this by turning on debug logging for Group Policies to capture a Userenv.log to figure out if the basic shell (explorer.exe) is even being called.
However, in Windows Vista, the Group Policy engine no longer records information in the userenv.log. Instead, detailed logging of Group Policies can be located using Event Viewer. The log for group policy processing can be found in the Event Viewer under
Applications and Services Logs\Microsoft\Windows\Group Policy\Operational
- a sample is shown below.
As you can see, each of the policy processing events that occur on the client are logged in this event viewer channel. This is an administrator-friendly replacement for the userenv.log. When looking at these events in the event viewer, there are some event ranges to be aware of:
4000 - 4299
Scenario Start Events
5000 - 5299
Corresponding Success Scenario End Events (scenario start event + 1000)
5300 - 5999
6000 - 6299
Corresponding Warning Scenario End Events (scenario start event + 2000)
Administrative events relating to Group Policy are still logged in the System Event Log, similar to pre-Windows Vista platforms. The difference is that the event source for the event is now Group Policy instead of USERENV. In Windows Vista, the Group Policy script processing errors are also now logged through the same mechanism as the rest of the Group Policy errors.
And that brings us to the end of this quick post on Group Policy Logging on Windows Vista. Until next time ...