15.4. Enabling GPO Client Logging

Problem

You want to troubleshoot GPO processing issues on a client or server by enabling additional logging in the Application event log.

Solution

Using a graphical user interface

  1. Run regedit.exe from the command line or Start Run.

  2. In the left pane, expand HKEY_LOCAL_MACHINE Software Microsoft Windows NT CurrentVersion.

  3. If the Diagnostics key doesn’t exist, right-click on CurrentVersion and select New Key. Enter Diagnostics for the name and hit enter.

  4. Right-click on Diagnostics and select New DWORD value. Enter RunDiagnosticLoggingGroupPolicy for the value name.

  5. In the right pane, double-click on RunDiagnosticLoggingGroupPolicy and enter 1.

  6. Click OK.

Using a command-line interface

> reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Diagnostics" /v[RETURN] 
"RunDiagnosticLoggingGroupPolicy" /t REG_DWORD /d 1

Using VBScript

' This code enables GPO logging on a target computer
' ------ SCRIPT CONFIGURATION ------
strComputer = "<ComputerName>"  ' e.g. rallen-w2k3
' ------ END CONFIGURATION ---------

const HKLM = &H80000002
strRegKey = "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Diagnostics"
set objReg = GetObject("winmgmts:\\" & strComputer _
                       & "\root\default:StdRegProv")
objReg.SetDwordValue HKLM, strRegKey, "RunDiagnosticLoggingGroupPolicy", 1
WScript.Echo "Enabled GPO logging for " & strComputer

Discussion

If you experience problems with client GPO processing, such as a GPO not getting applied even though you think it should, there aren’t ...

Get Active Directory Cookbook now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.