1
00:00:03,080 --> 00:00:08,570
Now let's say that group policy results or are so B doesn't give you the answers that you need in terms

2
00:00:08,570 --> 00:00:10,430
of figuring out where the problem is.

3
00:00:10,640 --> 00:00:13,370
And, you know, it's not a replication issue.

4
00:00:14,290 --> 00:00:15,580
Where do you go next?

5
00:00:16,560 --> 00:00:20,910
Well, group policy logging is your next step in that troubleshooting cycle.

6
00:00:21,060 --> 00:00:26,280
And this is where you can get some additional information from the client that's processing policy about

7
00:00:26,280 --> 00:00:27,600
what might be going on.

8
00:00:28,500 --> 00:00:33,660
And this can often lead to a solution, if not lead you in the right direction for a solution.

9
00:00:34,620 --> 00:00:37,230
So let's look at what's available in the box.

10
00:00:38,240 --> 00:00:43,880
So there is a number of logs that you can look at on the client to determine what's going on with group

11
00:00:43,880 --> 00:00:44,530
policy.

12
00:00:45,470 --> 00:00:48,260
And it's unfortunately not really consistent.

13
00:00:49,210 --> 00:00:54,730
It will depend a lot on the version of Windows you're on and the client side extension that's doing

14
00:00:54,730 --> 00:00:55,510
the reporting.

15
00:00:56,410 --> 00:01:02,320
But there are essentially three logs that I typically look in when I'm looking for group policy related

16
00:01:02,320 --> 00:01:02,860
events.

17
00:01:03,840 --> 00:01:09,960
The first two are the Windows system and application event logs, and they will provide typically high

18
00:01:09,960 --> 00:01:15,990
level events, in other words, not detailed events about a particular part of group policy processing

19
00:01:15,990 --> 00:01:20,760
or a client side extension that happens to report its data up to those event logs.

20
00:01:21,770 --> 00:01:27,500
By far the most detailed you're going to get is in the group policy operational log, which since Windows

21
00:01:27,500 --> 00:01:31,130
seven and next client versions has delivered more and more detail.

22
00:01:31,250 --> 00:01:36,860
So Windows seven delivered a bunch of detail in the operational log around each step of group policy

23
00:01:36,860 --> 00:01:37,640
processing.

24
00:01:37,760 --> 00:01:44,180
Windows 8.1 and Server 2012 are two and next server versions delivered that much more detail.

25
00:01:45,070 --> 00:01:50,440
And so now, you know, with current versions of Windows, the operational log is a great place to go

26
00:01:50,440 --> 00:01:52,120
to get a view of what's going on.

27
00:01:53,040 --> 00:01:59,040
And as if you'll remember from my previous demo about group policy results or group policy logging.

28
00:01:59,980 --> 00:02:03,700
I showed you that view log option that let you see the step by step.

29
00:02:03,700 --> 00:02:07,450
And that was actually coming out of the group policy operational log.

30
00:02:08,360 --> 00:02:14,360
So lots of details about what's happening during a processing cycle in a really step by step fashion.

31
00:02:15,260 --> 00:02:19,910
So again, not all cases report up to system or application.

32
00:02:20,060 --> 00:02:21,710
So it's kind of hit and miss.

33
00:02:22,690 --> 00:02:26,590
The operational law does provide that step by step logging.

34
00:02:27,480 --> 00:02:33,090
And I would say that the best combination of instrumentation that you can get is from a Windows 8.1

35
00:02:33,090 --> 00:02:42,540
and next client versions like Windows ten or 11 or Server 2012 or to Windows Server 2016, 19 or 2022.

36
00:02:43,440 --> 00:02:48,630
Admin station reporting against a Windows ten or server 2022 client.

37
00:02:49,640 --> 00:02:56,450
So again, you do get a lot of detail out of older Windows clients, but for sure the the instrumentation

38
00:02:56,450 --> 00:03:01,610
and the interpretation of the instrumentation is strongest on those newer versions of the operating

39
00:03:01,610 --> 00:03:02,150
system.

40
00:03:03,080 --> 00:03:07,490
Now, in order to use the operational log, you need to know where it is.

41
00:03:08,440 --> 00:03:10,360
And it's not altogether obvious.

42
00:03:10,390 --> 00:03:16,090
But if you're in the event viewer, it's under this this subtree called applications and services logs.

43
00:03:16,090 --> 00:03:18,220
Microsoft Windows Group policy.

44
00:03:19,140 --> 00:03:21,840
And this kind of shows you where it is in The View.

45
00:03:22,800 --> 00:03:28,350
So you'll see under group policy there's a folder called operational and on the right or in the middle

46
00:03:28,350 --> 00:03:33,060
pane you see all the events and the different things that are going on in the events.

47
00:03:34,080 --> 00:03:39,360
So this is once you find it, it's really your friend when it comes to figuring out what's going on

48
00:03:39,360 --> 00:03:41,610
with group policy during a given cycle.

49
00:03:42,580 --> 00:03:48,220
Let's look a little bit into the operational log and the event logs and see what kind of information

50
00:03:48,220 --> 00:03:49,180
we can get on them.