1
00:00:03,060 --> 00:00:03,650
Okay.

2
00:00:03,660 --> 00:00:08,940
So as I mentioned, the final kind of step in the process of troubleshooting can sometimes be getting

3
00:00:08,940 --> 00:00:14,370
into the group policy trace logs that can be generated by group policy as it's doing its thing.

4
00:00:15,300 --> 00:00:19,350
The tracing is really meant to be used when all other powers have failed.

5
00:00:20,340 --> 00:00:24,270
So RSVP and event logs aren't giving you the data that you need.

6
00:00:24,390 --> 00:00:27,840
You can't find out why group policy isn't being processed.

7
00:00:28,820 --> 00:00:34,850
You've ruled out user error and replication issues, and so tracing is kind of your final step.

8
00:00:35,780 --> 00:00:39,200
And the point here is it's really not for the faint of heart.

9
00:00:40,190 --> 00:00:43,820
It's a very these trace logs are built for developers.

10
00:00:44,740 --> 00:00:50,890
And so, you know, you at the in the best case, you might be able to glean some useful information

11
00:00:50,890 --> 00:00:51,520
out of them.

12
00:00:52,450 --> 00:00:56,530
I have, in fact, solved some problems in the past by using trace logs.

13
00:00:56,740 --> 00:01:01,810
But it's usually maybe one in a hundred times that the trace log will be the thing that solves the problem

14
00:01:01,810 --> 00:01:02,320
for me.

15
00:01:03,280 --> 00:01:06,670
There's really two kinds of tracing or trace log areas.

16
00:01:07,650 --> 00:01:14,700
There's the GP service trace which is used to be called user envy log in Windows XP and before but now

17
00:01:14,700 --> 00:01:17,010
is called the SBC dot log.

18
00:01:17,900 --> 00:01:23,210
And it really is the Microsoft Trace file for the group policy engine as a whole and all the steps that

19
00:01:23,210 --> 00:01:28,720
it goes through to as far as, you know, group policy, core processing phase and then client site

20
00:01:28,730 --> 00:01:29,780
extension phase.

21
00:01:29,780 --> 00:01:33,470
And then each client site extension may have some tracing that it provides.

22
00:01:33,470 --> 00:01:35,900
And the example that I'm going to give here is that.

23
00:01:36,840 --> 00:01:42,810
Group policy preferences includes trace logs for each of the different group policy preferencing areas.

24
00:01:43,780 --> 00:01:49,120
And that will provide detailed logging of what's happening when those group policy preferences kick

25
00:01:49,120 --> 00:01:49,480
off.

26
00:01:50,520 --> 00:01:55,500
Some Cscs do provide trace files as well, but they're not really well-documented.

27
00:01:56,440 --> 00:01:58,000
And they're certainly not.

28
00:01:58,000 --> 00:02:03,820
All of the Microsoft client side extensions provide traces, so that can make it a little difficult.

29
00:02:04,780 --> 00:02:10,780
So you can enable the Group Policy Service trace by creating a registry value in the registry under

30
00:02:10,780 --> 00:02:13,000
a key that I've shown up here on the slide.

31
00:02:13,940 --> 00:02:18,830
And it really is a matter of turning it on when you need it and then turning it off when you don't.

32
00:02:19,830 --> 00:02:25,720
Once it's set, the trace log gets created as a file, like I mentioned, called SBC log.

33
00:02:25,740 --> 00:02:26,580
Under this folder.

34
00:02:26,580 --> 00:02:27,960
Percent backslash window.

35
00:02:27,960 --> 00:02:29,040
Percent backslash.

36
00:02:29,040 --> 00:02:30,210
Debug backslash.

37
00:02:30,210 --> 00:02:30,900
User mode.

38
00:02:31,830 --> 00:02:36,600
And what it looks like is pretty much gobbledygook unless you know what you're looking for.

39
00:02:37,570 --> 00:02:41,320
The first thing to note is the number in parentheses is the threat ID.

40
00:02:41,830 --> 00:02:47,140
And why this is important is that you can actually see an example of the fact that group policy runs

41
00:02:47,140 --> 00:02:48,420
on multiple threads.

42
00:02:49,430 --> 00:02:54,950
So if computer processing is happening at the same time that user processing is happening, which is

43
00:02:54,950 --> 00:03:00,830
very possible during a, for example, a GP update force command, you're essentially doing both or

44
00:03:00,830 --> 00:03:02,930
kicking off both at the same time.

45
00:03:03,840 --> 00:03:09,060
It's useful to have the thread ID to know which part of the cycle you're looking at on a given line.

46
00:03:09,980 --> 00:03:15,410
And then there's the time stamp that provides the sort of a time interval between each step of the processing

47
00:03:15,410 --> 00:03:20,240
cycle and the trace file, and it can provide lots of good detail about what's going on.

48
00:03:21,170 --> 00:03:26,930
Now with respect to group policy preferences, trace logging, you've got this area under sys backslash,

49
00:03:26,930 --> 00:03:32,270
group policy, backslash, logging and tracing that has the option in admin templates to enable trace

50
00:03:32,270 --> 00:03:36,860
logging on a per client side extension or per group policy preferences area.

51
00:03:37,800 --> 00:03:42,840
And you'll notice that once you enable it, you can set the level of logging you can turn on or off

52
00:03:42,840 --> 00:03:49,080
tracing, and you can set the location of file system location for both user tracing and computer tracing

53
00:03:49,260 --> 00:03:51,180
as well as RCP modeling.

54
00:03:51,180 --> 00:03:55,860
We're planning tracing, which is something that I've actually never even used but is available out

55
00:03:55,860 --> 00:03:56,220
there.

56
00:03:57,220 --> 00:04:02,830
So, you know, this is another kind of tracing specific to group policy preferences that you can take

57
00:04:02,830 --> 00:04:03,640
advantage of.

58
00:04:04,630 --> 00:04:09,280
So let's go ahead and enable some tracing on our system and see what we can see.