Group Policy: Basic troubleshooting steps for beginners

  • Article

First of all, prob  the problem user as much as you can to get the complete issue description. Make sure you get the complete error message and when they receive it. Also, check if the issue get resolved by itself or do they perform any troubleshooting steps. Try to understand the nature of the issue and how frequently it is...Isolate the issue like if it is with a single user or with specific site or with the complete domain. This helps you to identify if the issue is with the Domain controller or the client machine.

Before we get in to the Client Side troubleshooting, we need to validate the GPO whether it is defined correctly for the requirements. Open gpmc and verify the Group policy which is in question. 

Make sure the group policy has all the settings that you are looking for, and it is correctly linked. Below are the tabs that you have to go through.

If all of them looks good, now go to the problematic  client machine. 

Open an elevated command prompt and run below command.

c:\temp\gpresult /h gp.html

Verify the gpresult that you have captured and look for the GPO that we are having issues with, it will give the error why the GPO is not getting applied.

Now, if you have an error in gpresult we can troubleshoot the issue based on that, else

Open event viewer and browse to Application,System event log. The application event log will give you the details on why the group policy update was failing positively,

Once this is done, your next log will be the GP Operational event log, here you can get more detailed information. There are events which has the list of applied GPOs and list of denied GPOs with the reason in it.  

Most of the GPO issues can be resolved using these basic logs. 

Now, if the issue still exists, collect GPSVC log by reproducing the issue. I mean, enable the debug log and restart the machine, or log off and login or run gpupdate /force.  This is to capture the logs with the failure reason. 

There is a nice blog that shows how to enable GPSvc Debug logs: https://blogs.technet.microsoft.com/csstwplatform/2010/11/09/how-to-enable-gpo-logging-on-windows-7-2008-r2/

Make sure you capture the GPSvc log along with all the other logs simultaneously. This will require when you analyse the logs captured. 

Now, for further troubleshooting, along with all the other logs, you can capture Microsoft Network Monitor trace and procmon depends on the issue. 

Back to Top