Troubleshooting is a bit of an art form. It requires creativity but that creativity needs to be expressed inside certain parameters. Those parameters depend on what is being troubleshot. (Is that really a word?)
There is a TechNet article that has been around for quite a while called Troubleshooting Group Policy Using Event Logs and you must take a look. Understanding these Events and their meaning will be super helpful in your quest to mastering the art of… well… you get it.
While working on the Windows Server team at Microsoft one of my ‘supah smaht’ colleagues, Rajive, spent a weekend building a simple tool called GPLogView. It is a great tool to check out. It took advantage of Windows Operational Logs and gave quick views into GP Processing. It also provides the ability to monitor a GP Processing cycle in real time. Like the Internet Accessible Refrigerator it was a very cool idea that didn’t get a whole lot of traction! (Bad metaphor?)
I was digging into some demos and content for a presentation I am doing next week at <gratuitous plug> SpiceWorld in Austin Texas </gratuitous plug> and wanted to get to the same data, but of course with PowerShell and in as simple a way as possible. And, you guessed it, it was simple!
Using Get-WinEvent I was able to get right to the Group Policy Operational Log and find all events for a given GP Processing Cycle (ActivityID or Correlation ID). You can use some great PowerShell trick for formatting output like Format-Table -GroupBy, or Out-GridView. In the end you get a focused view of the information you need to get to the root of your GP Processing issue in a flash.
Get-WinEvent -LogName "Microsoft-Windows-GroupPolicy/Operational"
The above is the key. This cmdlet will return all of the events in that log. Warning it could be a lot! You can see just how many objects will return by piping to Measure-Object (roughly 8200 on my test server).
Where-Object ActivityID -EQ "<GUID>"
Once you have that ActivityID you can dump it in here to limit the output of Get-WinEvent to the single processing cycle. One scenario would be to search the log for an error event, grab the activityID out of that event then return all events from that ActivityID. Evaluating an entire GP Processing cycle can present clues to what is going on in there.
Formatting the output is also interesting. You can use the -GroupBy parameter and choose ‘ActivityID’. I found an interesting issue with this one as when the output is grouped the ‘header’ on the group says ‘ProviderID’ where it is actually the ‘ActivityID’. I think it is a bit of a bug.
One of my favorite formatting tips is Out-GridView. This dumps the output of your cmdlet into a simple UI where you can sort/filter/manipulate in lots of interesting ways.
I’m going to go over some of this during my session at SpiceWorld and believe that session will be recorded. Stay tuned for some more information on this and other topics related to “Managing Group Policy and Active Directory with PowerShell”. While waiting try this and play around with the PowerShell stuff to see what you can find.
Get-WinEvent -LogName "Microsoft-Windows-GroupPolicy/Operational" | Format-Table -GroupBy ActivityID