Troubleshooting Group Policy by Using Log Files

Because Userenv tracks the Group Policy engine and registry-based Group Policy, it is the most frequently used log file for Group Policy troubleshooting.

To use userenv.log || gpsvc.log ( %windir%\debug\usermode\UserEnv.log or gpsvc.log in W7 ) you need to first enable verbose logging.

To enable verbose logging

1. Log onto the client computer as the administrator and run Regedit.
2. Locate the following key: KEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon.
3. Right click Winlogon, select New, and then click DWORD Value.
4. Enter the following name for the DWORD Value: UserEnvDebugLevel.
5. Enter 30002 (see description below) as the hexadecimal value. This writes the userenv into userenv.log, located in the \%windir%\debug\usermode directory.
6. Run "gpupdate /force" to ensure a full listing of total Group Policy processing and restart the machine.

-------------------------------------------------

Use Registry Editor to add or to modify the following registry entry:

Subkey:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

Entry: UserEnvDebugLevel
Type: REG_DWORD
Value data: 10002 (Hexadecimal)

UserEnvDebugLevel can have the following values:

NONE 0x00000000
NORMAL 0x00000001
VERBOSE 0x00000002
LOGFILE 0x00010000
DEBUGGER 0x00020000

The default value is NORMAL|LOGFILE (0x00010001).

Note To disable logging, select NONE (0x00000000).

You can combine these values. For example, you can combine VERBOSE 0x00000002 and LOGFILE 0x00010000 to get 0x00010002. Therefore, if UserEnvDebugLevel is given a value of 0x00010002, LOGFILE and VERBOSE are both turned on. Combining these values is the same as using an OR statement.

0x00010000 OR 0x00000002 = 0x00010002

Note If you set UserEnvDebugLevel to 0x00030002, the most verbose details are logged in the Userenv.log file.

The log file is written to the %Systemroot%\Debug\UserMode\Userenv.log file. If the Userenv.log file is larger than 300 KB, the file is renamed Userenv.bak, and a new Userenv.log file is created. This action occurs when a user logs on locally or by using Terminal Services, and the Winlogon process starts. However, because the size check only occurs when a user logs on, the Userenv.log file may grow beyond the 300 KB limit.

Although the 300-KB limit cannot be modified, you can set the read-only attribute on the Userenv.bak file, and the Userenv.log file will grow indefinitely. You must only use this method temporarily, remove the read-only attribute on the Userenv.bak file as soon as you are finished troubleshooting.

Could not load file or assembly 'Microsoft.SqlServer.Sqm ...

When you try to run SQL 2008 Management Studio on Windows 2008 R2 x64 you receive this error:

Microsoft SQL Server Management Studio
Cannot show requested dialog.

Could not load file or assembly 'Microsoft.SqlServer.Sqm, Version=10.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91' or one of its dependencies. The module was expected to contain an assembly manifest. (SqlMgmt)

Solution:

Copy the file Microsoft.SqlServer.Sqm.dll located on
C:\Program Files\Microsoft SQL Server\100\Shared to folder
C:\Program Files\Microsoft SQL Server\100\Tools\Binn\VSShell\Common7\IDE and
C:\Program Files (x86)\Microsoft SQL Server\100\Tools\Binn\VSShell\Common7\IDE.

Find Objects In Active Directory

My Network Places -> Network Tasks: Search Active Directory.
or
from command line rundll32 dsquery,OpenQueryWindow.

Active Directory Schema snap-in

Notice that the Active Directory Schema snap-in is not available to add. The Active Directory

Schema snap-in is installed with the Active Directory Domain Services role with the

RSAT, but it is not registered, so it does not appear.

At the command prompt, type the regsvr32.exe schmmgmt.dll command.

Hidden command prompt in Windows Server 2008 installation

One reason why Windows Server 2008’s install is easy to use is because it is based on a MINWINPC (Mini PC) bootable environment, similar to the Windows PE environment. This means that a number of environment tools are available to the installation environment. Once the Windows manager is loaded, you can access this command prompt by pressing [Shift][F10].

Net Helpmsg for Windows Error 0xABCDEFGH

Suppose you get error 0x80070652 from an installer:

>net helpmsg 0x80070652
The syntax of this command is:
NET HELPMSG message#

It doesn’t support hex. You need to take the last 4 digits "0652" from 0x80070652, convert it to decimal "1618" and:
C:\>net helpmsg 1618
Another installation is already in progress. Complete that installation before proceeding with this install.

Reload, Transfer or Reload from Master DNS secondary zone?

Often confusion arises when manually updating the DNS zone.
Reload, Transfer From Master or Reload from Master - what to choose?
Open the book "MCTS Exam 70-642: Cinfiguring Windows 2008 Network Infrastructure" on the page 201 and carefully read the following:
"...
Manaully Updating a Secondary Zone
...

• Reload This operation reloads the secondary zone from local storage.
• Transfer From Master The server hosting the local secondary zone determines whether the serial number in the secondary zone's SOA resource record has expired and then pulls a zone transfer from the master server.
• Reload From Master This operation performs a zone transfer from the secondary zone's master server regardless of the serial number in the seconadry zone's SOA resource record.

..."

Windows PKI documentation reference

Microsoft PKI Quick Guide - Part 1: Planning
Microsoft PKI Quick Guide – Part 2: Design
Microsoft PKI Quick Guide – Part 3: Installation
Microsoft PKI quick guide – Part 4: Troubleshooting

Public Key Infrastructure

 

Windows PKI blog

Windows PKI documentation reference

 

 

Managing Active Directory from the command line

see:

Managing Active Directory from the command line

CSVDE	Import and export Active Directory data using comma-separated format.
Dsadd	Add users, groups, computers, contacts, and organizational units to Active Directory.
Dsmod	Modify an existing object of a specific type in the directory. The types of objects that can be modified are: users, groups, computers, servers, contacts, and organizational units.
Dsrm	Remove objects of the specified type from Active Directory.
Dsmove	Rename an object without moving it in the directory tree, or move an object from its current location in the directory to a new location within a single domain controller. (For cross-domain moves, use the Movetree command-line tool.)
Dsquery	Query and find a list of objects in the directory using specified search criteria. Use in a generic mode to query for any type of object or in a specialized mode to query for for selected object types. The specific types of objects that can be queried through this command are: computers, contacts, subnets, groups, organizational units, sites, servers and users.
Dsget	Display selected attributes of specific object types in Active Directory. Attributes of the following object types can be viewed: computers, contacts, subnets, groups, organizational units, servers, sites, and users.
LDIFDE	Ceate, modify, and delete directory objects. This tool can also be used to extend the schema, export Active Directory user and group information to other applications or services, and populate Active Directory with data from other directory services.
Ntdsutil	General purpose Active Directory management tool. Use Ntdsutil to perform database maintenance of Active Directory, to manage single master operations, and remove metadata left behind by domain controllers that were removed from the network without being properly uninstalled.

LDAP Query - Account is locked out

see:
HOWTO: Enumerate locked out user accounts using Saved Queries

Follow these step-by-step instructions to list all currently locked out accounts in a Windows Server 2003 domain:

1. Log in to a Domain Controller with administrative privileges in the domain and open Active Directory Users & Computers.
2. Right click Saved Queries and select New > Query.
3. Give the query a name and optionally a description. Click on Define Query.
4. Select Custom Search from the drop-down dialogue box.
5. Click on Advanced and enter this LDAP filter in the query box:

(&(objectCategory=Person)(objectClass=User)(lockoutTime>=1))

6. Click on OK twice and the new query appears under the Saved Queries folder in Active Directory Users & Computers.

Unfortunately, this is the query selects not only 'Account is locked out'.

see yet:
Implementing and Troubleshooting Account Lockout
Account Lockout and Management Tools