Michiel Elderson
Netflex Blog
Sometimes it’s difficult to troubleshoot Group Policies, particular on a terminal server based environment where a lot of GPO warnings and errors can occur. How do you separate those warning and errors to reflect the issue you are working on? If a GPO error raises an event how will you know which event is triggered by that specific error? With this blog I hope to show you an easy way of filtering events to get a clear list of events related to the error you are troubleshooting.
Step 1; Find the group Policy ActivityID
- Open event viewer and go to Windows Logs – System
- Open the Group Policy warning or error you are working on
- Open the tab details, click “ Friendly view”
- Expand “ System”
- Search for ActivityID and write it down (you will need this ID in step 2)
Step 2; Create a custom view
- Open event viewer
- Right click “Custom Views” and select “Create Custom View”
- Go to the tab “ XML” and select “ Edit query manually” (followed by “yes in the next screen)
- Copy the following query to the Query box
<QueryList><Query Id=”0″ Path=”Application”><Select Path=”Microsoft-Windows-GroupPolicy/Operational”>*[System/Correlation/@ActivityID='{INSERT ACTIVITY ID HERE}’]</Select></Query></QueryList>
- Replace {INSERT ACTIVITY ID HERE} in the above text with the ActivityID from step 1 (don’t remove the brackets!).
- Save the custom filter
- Select your custom view under “Custom views” to show all related events
You will be presented with a list of events regarding to the GPO you are troubleshooting. Keep in mind that the ActivityID is unique and will change when the GPO is rerun.
More about troubleshooting Group policies can be found here
Links:
Bas Wanrooij
Erik van der Spek
Joeri Klaassen
Michiel Elderson
Paul de Jongh
Stefan ten Hoeve
Thomas Boudesteijn
Leave a Comment