In earlier versions of Windows, in-depth analysis of Group Policy processing involved enabling verbose logging (via registry modifications) of the core client engine (implemented as Userenv Dynamic Link Library) and each Client Side Extensions. This resulted in multiple log files. In addition, Userenv was also responsible for a number of non-Group Policy related features, making the troubleshooting process even more cumbersome. Similarly, server side logging — recording events generated by the Group Policy Management Console and Group Policy Editor related actions — had its own group of files and corresponding registry entries that needed to be modified. You can find more detailed information regarding this functionality in the Microsoft Technet article Fixing Group Policy problems by using log files.
In Vista SP1 and Windows Server 2008, inconsistent Userenv and CSE-level logging has been replaced by a new centralized system, with all relevant actions recorded in the System Event Log and Group Policy Operational Log (located in the Application and Services LogsMicrosoftWindowsGroup Policy section of the Windows Event Viewer), with the source identified clearly as “Group Policy”. In addition, the content of each log entry has been supplemented with improved description of the corresponding event as well as, in case of a problem (indicated by the Error or Warning level), with suggestions regarding the most likely causes and potential remediation or resolution methods.
XML-based nodes in each entry designate individual characteristics of each event, such as ActivityID (assigned to each instance of a Group Policy refresh), type of processing (background or foreground, synchronous or asynchronous) or the name of target security principal and participating Active Directory domain controller. This, in turn, facilitates filtering and creation of custom views. You can further simplify your log analysis by taking advantage of GPLogView utility (downloadable from the Microsoft Download Center), which gathers all relevant events from both System and Group Policy Operational Event Logs. A comprehensive collection of troubleshooting information is included in the article Troubleshooting Group Policy Using Event Logs posted on the Microsoft Technet site.
When discussing the client side of Group Policy functionality in Windows Server 2008, it is also important to mention an innovative approach to its local implementation. More specifically, Windows Server 2008 (just like Vista) offers three types of Local Group Policy Objects (present on both stand-alone and domain member servers — but not on domain controllers). These MLGPOs (Multiple Local GPOs) can be assigned to individual users or pre-defined generic user types, which constitutes a significant departure from the approach employed in earlier version of Windows. It is limited to a single instance of Local Group Policy and applicable to all users, regardless of their privileges. As a result, you can define different settings for administrators and non-privileged users, or even separate them further on per user basis. The MLGPOs can be grouped into three categories, listed below in the order in which they are processed:
Configuration of Local Group Policy is handled in the traditional manner by launching Group Policy Object Editor (which can be accomplished simply by running GPEDIT.MSC from the elevated Command Prompt or Run text box). To create or edit other MLGPOs, you must launch a Microsoft Management Console (e.g., by executing MMC within the security context of a privileged account), add the Group Policy Object Editor from the list of available snap-ins, and set its focus on a target user or group by clicking on Browse… command button in the Select Group Policy Object dialog box. Once the Browse for a Group Policy Object window appears, switch to Users tab and choose an appropriate account. Note that this interface also allows you remove or disable any existing MLGPOs. After you have confirmed your choices, you will be presented with the standard Group Policy Object Editor interface from which you simply apply desired settings. Note that it is possible to disable MLGPOs by using Turn Off Local Group Policy Object Processing Group Policy setting residing in the Computer ConfigurationAdministrative TemplatesSystemGroup Policy node.
This concludes our coverage of the client-side Group Policy related enhancements available in Windows Server 2008. In our next article of this series, we will focus on the topics dealing with management of Active Directory-based Group Policies.
Marcin Policht obtained his Master of Computer Science degree about 20 years ago and has been since then working in the Information Technology field, handling variety of responsibilities, but focusing primarily on the areas of identity and access management, virtualization, system management, and, more recently private, hybrid, and public cloud services. He has authored the first book dedicated to Windows Management Instrumentation and co-written several others dealing with subjects ranging from core operating system features to high-availability solutions. His articles have been published on such Web sites as ServerWatch.com and DatabaseJournal.com. For his contributions to the Microsoft technical community, he has been awarded the title of Microsoft MVP over the last ten years.
ServerWatch is a top resource on servers. Explore the latest news, reviews and guides for server administrators now.
Property of TechnologyAdvice. © 2025 TechnologyAdvice. All Rights Reserved
Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.
