Pages

Friday, July 27, 2012

Troubleshooting Group Policy by Using Log Files

Because Userenv tracks the Group Policy engine and registry-based Group Policy, it is the most frequently used log file for Group Policy troubleshooting.

To use userenv.log || gpsvc.log ( %windir%\debug\usermode\UserEnv.log or gpsvc.log in W7 ) you need to first enable verbose logging.

To enable verbose logging
  1. Log onto the client computer as the administrator and run Regedit.
  2. Locate the following key: KEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon.
  3. Right click Winlogon, select New, and then click DWORD Value.
  4. Enter the following name for the DWORD Value: UserEnvDebugLevel.
  5. Enter 30002 (see description below) as the hexadecimal value. This writes the userenv into userenv.log, located in the \%windir%\debug\usermode directory.
  6. Run "gpupdate /force" to ensure a full listing of total Group Policy processing and restart the machine.

-------------------------------------------------

Use Registry Editor to add or to modify the following registry entry:
Subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

Entry: UserEnvDebugLevel
Type: REG_DWORD
Value data: 10002 (Hexadecimal)
UserEnvDebugLevel can have the following values:
NONE 0x00000000
NORMAL 0x00000001
VERBOSE 0x00000002
LOGFILE 0x00010000
DEBUGGER 0x00020000
The default value is NORMAL|LOGFILE (0x00010001).

Note To disable logging, select NONE (0x00000000).

You can combine these values. For example, you can combine VERBOSE 0x00000002 and LOGFILE 0x00010000 to get 0x00010002. Therefore, if UserEnvDebugLevel is given a value of 0x00010002, LOGFILE and VERBOSE are both turned on. Combining these values is the same as using an OR statement.
0x00010000 OR 0x00000002 = 0x00010002
Note If you set UserEnvDebugLevel to 0x00030002, the most verbose details are logged in the Userenv.log file.

The log file is written to the %Systemroot%\Debug\UserMode\Userenv.log file. If the Userenv.log file is larger than 300 KB, the file is renamed Userenv.bak, and a new Userenv.log file is created. This action occurs when a user logs on locally or by using Terminal Services, and the Winlogon process starts. However, because the size check only occurs when a user logs on, the Userenv.log file may grow beyond the 300 KB limit.

Although the 300-KB limit cannot be modified, you can set the read-only attribute on the Userenv.bak file, and the Userenv.log file will grow indefinitely. You must only use this method temporarily, remove the read-only attribute on the Userenv.bak file as soon as you are finished troubleshooting.