Debugging Group Policy Processing

Group Policy Debug Log Settings

The below article has got information about enabling different debug loggings which are required for troubleshooting various Windows issues.

UserEnv Debug Logging

Userenv logging is useful when troubleshooting group Policy application related issues or User profile related issues.


Enabling Userenv logging in Windows XP

Use Registry Editor to add or to modify the following registry entry:

Subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Entry: UserEnvDebugLevel
Type: REG_DWORD
Value data: 10002 (Hexadecimal)

UserEnvDebugLevel can have the following values:

NONE 0x00000000
NORMAL 0x00000001
VERBOSE 0x00000002
LOGFILE 0x00010000
DEBUGGER 0x00020000

The default value is NORMAL|LOGFILE (0x00010001).

Note To disable logging, select NONE (0x00000000).

You can combine these values. For example, you can combine VERBOSE 0x00000002 and LOGFILE 0x00010000 to get 0x00010002. Therefore, if UserEnvDebugLevel is given a value of 0x00010002, LOGFILE and VERBOSE are both turned on. Combining these values is the same as using an OR statement.

0x00010000 OR 0x00000002 = 0x00010002

Note If you set UserEnvDebugLevel to 0x00030002, the most verbose details are logged in the Userenv.log file.

The log file is written to the %Systemroot%\Debug\UserMode\Userenv.log file. If the Userenv.log file is larger than 300 KB, the file is renamed Userenv.bak, and a new Userenv.log file is created. This action occurs when a user logs on locally or by using Terminal Services, and the Winlogon process starts. However, because the size check only occurs when a user logs on, the Userenv.log file may grow beyond the 300 KB limit.

Although the 300-KB limit cannot be modified, you can set the read-only attribute on the Userenv.bak file, and the Userenv.log file will grow indefinitely. You must only use this method temporarily, remove the read-only attribute on the Userenv.bak file as soon as you are finished troubleshooting.

http://support.microsoft.com/kb/221833

Enabling UserEnv Logging in Windows 7

In Windows 7 GPO processing is performed by a service called “Group Policy Client” .
A log file can be written by the service when implementing the following registry value:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Diagnostics]
"GPSvcDebugLevel"=dword:00030002

2014-06-03 10_32_11-Registry Editor_GPSvcDebugLevel

The resulting log file will be
%WINDIR%\debug\usermode\gpsvc.log

Group Policy Preference Debug Logging

Sometimes you need to enable additional logging when you are troubleshooting a particular component in Windows. Group Policy Preferences includes the ability to create verbose debug logging for each included client-side extensions. You activate Preference debug logging through Group Policy. Preference debug logging policy settings are located under the Computer Configuration\Policies\Administrative Templates\System\Group Policy node when editing a Group Policy object.

Figure 1 Group Policy Preferences debug logging

You can individually enable each preference client-side extension. Logging and tracing entries provide you with a several configuration options including what type of data to write to the event logs (Informational, Errors, Warnings, or all), enable trace logging and the location of the trace log file, and the size of the file.

Figure 2 Preference Logging and Tracing policy settings

You can configure the location of the trace files; however, keep in mind that file system permissions changed on Server 2008 and Windows Vista. Make sure permissions do not interfere with creating the log file. You’ll notice the default location for all three log files is
%COMMONAPPDATA%\GroupPolicy\Preference\Trace. The variable
%COMMONAPPDATA% is not recognized by Windows, however; it is meaningful to Preference client-side extensions. Preference client-side extensions recognize this variable and expand it according to operating system on which the client-side extension is installed. For Windows Server 2003 and Windows XP, %COMMONAPPDATA% expands to
%SYSTEMDRIVE%\Documents and Settings\All Users\Application Data. The equivalent path for Windows Server 2008 and Windows Vista is %SYSTEMDRIVE%\ProgramData (this folder is hidden by default, but you can manually type the path in Windows Explorer).

http://blogs.technet.com/b/askds/archive/2008/07/18/enabling-group-policy-preferences-debug-logging-using-the-rsat.aspx

Folder Redirection Debug logging

In addition to logging events in the Application Event log, Folder Redirection can provide a detailed log to aid troubleshooting. To create a detailed log file for folder redirection, use the following registry key:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics

Set: FdeployDebugLevel = Reg_DWORD 0x0f

Note The log file can be found at: %windir%\debug\usermode\fdeploy.log

In pre-Vista versions of Windows, doing this will create the diagnostic log file %windir%\Debug\UserMode\fdeploy.log. For Vista, 2008 and Windows 7 however, doing this simply adds more detailed info to the event log.

Netlogon Debug Logging

Netlogon debug logging is useful in troubleshooting many issues. Some of those are mentioned below.

DC Location issues
Account Lockout Issues

The version of Netlogon.dll that has tracing included is installed by default. To enable debug logging, set the debug flag that you want in the registry and restart the service by using the following steps:
1.Start the Regedt32 program.
2.Delete the Reg_SZ value of the following registry entry, create a REG_DWORD value with the same name, and then add the 2080FFFF hexadecimal value.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DBFlag
1.At a command prompt, type net stop netlogon, and then type net start netlogon. This enables debug logging.
2.To disable debug logging, change the data value to 0x0 in the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DBFlag
1.Quit Regedt32.
2.Stop Net Logon, and then restart Net Logon.

Notes  ◦After you restart Net Logon, Net Logon-related activity may be logged to %windir%\debug\netlogon.log.
◦The MaximumLogFileSize registry entry can be used to specify the maximum size of the Netlogon.log file. By default, this registry entry does not exist, and the default maximum size of the Netlogon.log file is 20 MB. When the file reaches 20 MB, it is renamed to Netlogon.bak, and a new Netlogon.log file is created. This registry entry has the following parameters:

Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
Value Name: MaximumLogFileSize
Value Type: REG_DWORD
Value Data:
◦On Windows Server 2003-based computers, you can use the following Group Policy to configure the log file size:

\Computer Configuration\Administrative Templates\System\Net Logon\Maximum Log File Size

Note As an alternate method, you can set the dbflag without using the registry. To do this run the following command from a command prompt:

nltest /dbflag:0x2080ffff

Nltest is included as part of Windows Server 2008 and is also available as part of the Support Tools packages on the installation media for Windows Server 2003, Windows XP, and Windows 2000.

After you finish debugging, you can run the nltest /dbflag:0x0 command from a command prompt to reset the debug flag to 0. For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:

247811    (http://support.microsoft.com/kb/247811/ ) How domain controllers are located in Windows

189541    (http://support.microsoft.com/kb/189541/ ) Using the checked Netlogon.dll to track account lockouts

http://support.microsoft.com/kb/109626

Leave a Reply

Your email address will not be published. Required fields are marked *