Active Directory Group Policy

Version 2

    Group Policy Object (System and Application Logs)

    This template assesses the status and overall performance of a Windows Group Policy Object by checking Windows logs for critical events. This template sets the state of the application to Down if there are any errors or warnings related with the Group Policy Object within the last five minutes. In Windows 2003, the Group Policy Object writes events to the application log. In Windows 2008, the Group Policy Object writes events to the system log.

    Prerequisites: WMI access to the target server.

    Credentials: Windows Administrator on the target server.

    This template is based on the following information:
    http://technet.microsoft.com/en-us/library/cc749336(WS.10).aspx.

    Group Policy troubleshooting tips can be found here:
    http://www.chicagotech.net/Security/gp10checklist.htm.

    Monitored Components

    Note: All monitors should return zero values. Returned values other than zero indicate an abnormality. Examining the Windows system and application log files should provide information pertaining to the issue.

    Failed Allocation

    This monitor returns the number of memory allocation fails.

    Type of event: Error. Event ID: 1002.

    DS Bind Failure

    This monitor returns the number of failed authentication attempts of the Active Directory.

    Type of event: Error. Event ID: 1006.

    Site Query Failure

    This monitor returns the number of failed attempts to query the Active Directory Site using the credentials of the user or computer.

    Type of event: Error. Event ID: 1007.

    GPO Query Failure

    This monitor returns the number of failed attempts to query Group Policy Objects.

    Type of event: Error. Event ID: 1030.

    Computer Role Failure

    This monitor returns the number of failed attempts to determine the role of the computer, (i.e.: workgroup, domain member, or domain controller).

    Type of event: Error. Event ID: 1052.

    User Name Resolution Failure

    This monitor returns the number of failed attempts to resolve a user name.

    Type of event: Error. Event ID: 1053.

    DC Resolution Failure

    This monitor returns the number of failed attempts to obtain the name of a domain controller.

    Type of event: Error. Event ID: 1054.

    Computer Name Resolution Failure

    This monitor returns the number of failed attempts to resolve a computer name.

    Type of event: Error. Event ID: 1055.

    Policy Read Failure

    This monitor returns the number of failed attempts to read the GPT.INI of a Group Policy Object.

    Type of event: Error. Event ID: 1058.

    WMI Evaluation Failure

    This monitor returns the number of failed attempts to evaluate a WMI filter.

    Type of event: Error. Event ID: 1065.

    GPO Search Failure

    This monitor returns the number of failed attempts to obtain a list of Group Policy Objects.

    Type of event: Error. Event ID: 1079.

    OU Search Failure

    This monitor returns the number of failed attempts to search the Active Directory Organizational Unit hierarchy.

    Type of event: Error. Event ID: 1080.

    CSE Failure Warning

    This monitor returns the number of events when the Group Policy client side extension fails.

    Type of event: Warning. Event ID: 1085.

    Excessive GPO Failure

    This monitor returns the number of events for when the scope of Group Policy Objects, for a computer or user, exceeds 999.

    Type of event: Error. Event ID: 1088.

    RSOP Session Failure

    This monitor returns the number of events when a Resultant Set of Policy session fails.

    Type of event: Warning. Event ID: 1089.

    WMI Failure

    This monitor returns the number of events the Group Policy service encounters caused by errors with the WMI service.

    Type of event: Warning. Event ID: 1090.

    RSOP CSE Failure

    This monitor returns the number of events the Group Policy client side extension has due to failed attempts to record Resultant Set of Policy information.

    Type of event: warning. Event ID: 1091.

    RSOP Failure

    This monitor returns the number of errors occur while recording Resultant Set of Policy information.

    Type of event: warning. Event ID: 1095.

    The Group Policy service logs this event when an error occurs while recording Resultant Set of Policy information.

    Registry.pol Failure

    This monitor returns the number of failed attempts to read registry.pol.

    Type of event: Error. Event ID: 1096.

    Computer Token Failure

    This monitor returns the number of failed attempts to read the computer's authentication token.

    Type of event: Error. Event ID: 1097.

    Object Not Found Failure

    This monitor returns the number of failed attempts to locate an Active Directory object.

    Type of event: Error. Event ID: 1101.

    WMI Filter Not Found Warning

    This monitor returns the number of failed attempts to locate an associated WMI filter.

    Type of event: Warning. Event ID: 1104.

    Cross Forest Discovery Failure

    This monitor returns the number of failed attempts to determine if the user and computer belong to the same forest.

    Type of event: Error. Event ID: 1110.

    CSE Synchronous Warning

    This monitor returns the number of events when a Group Policy client side extension requires synchronous policy processing to apply one or more policy settings.

    Type of event: warning. Event ID: 1112.

    Time Skew Failure

    This monitor returns the number of events that indicate the time on the local computer is not synchronized with the time on the domain controller.

    Type of event: Error. Event ID: 1126.

    DC Connectivity Failure

    This monitor returns the number of events when there is an absence of authenticated connectivity from the computer to the domain controller.

    Type of event: error. Event ID: 1129.

    Script Failure

    This monitor returns the number of failed attempts to run a script.

    Type of event: Error. Event ID: 1130.

     

    Portions of this document were originally created by and are excerpted from the following sources:

    Microsoft Corporation, “TechNet Library,” Copyright © 2012 Microsoft Corporation.  All rights reserved. Available at

    http://blogs.technet.com/b/gpguru/archive/2008/08/29/troubleshooting-group-policy-using-event-logs.aspx.