GPO troubleshooting:

http://social.technet.microsoft.com/wiki/contents/articles/22457.10-common-problems-causing-group-policy-to-not-apply.aspx

https://technet.microsoft.com/en-us/magazine/ccba8171-2b4a-4437-ab45-bbdee8323ee2

In Windows 7 or Windows 2008 R2 or above, one good way of looking at all aspects of Group Policy is via the client’s event log.

  • Open the event log (eventvwr.exe from the search/command box).
  • Open Event Viewer (Local)
  • Open Applications and Services Logs
  • Open Microsoft
  • Open Windows
  • Open GroupPolicy and click on Operational

Events 4016 and 5016 show the start and end of processing of groups of policies, including how long it took to apply each one in the end event.

Event 5312 shows policies that will be applied, and 5317 shows policies that are explicitly filtered out.

Events 8000 and 8001 respectively show the total processing time for computer boot and user boot GP processing, and 8006 and 8007 show the same for interim/periodic GP processing.

How to enable GPO logging on windows 7 /2008 R2
It is similar to the User Environment Debug Logging in Windows XP/2003.

Windows 7 / 2008R2 Group Policies are located in the Event Viewer. Under
\Applications and Services Logs\Microsoft\Windows\Group Policy\Operational.

While Windows 7 logs many events to event log you sometimes need the operational additional information.

GPO is processed by the Windows service called “Group Policy Client”. You can enable a detailed diagnostic report for this services via the reg key:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Diagnostics]
“GPSvcDebugLevel”=dword:00030002

(need to reboot or restart the service).

  1. Click Start , click Run , type regedit , and then click OK .
  2. Locate and then click the following registry subkey:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion
  3. On the Edit menu, point to New , and then click Key .
  4. Type Diagnostics , and then press ENTER.
  5. Right-click the Diagnostics subkey, point to New , and then click DWORD Value .
  6. Type GPSvcDebugLevel , and then press ENTER.
  7. Right-click GPSvcDebugLevel , and then click Modify .
  8. In the Value data box, type 0x00030002 , and then click OK .
  9. Exit Registry Editor.
  10. At a command prompt, type the following command, and then press ENTER:gpupdate /force
  11. View the Gpsvc.log file in the following folder:%windir%\debug\usermode

GPO Basics:

1) structure of a GPO:

Group Policy Container (GPC) which exists in Active Directory

and

the Group Policy Template (GPT) where the actual content of your GPOs resides.

A third component, known as Client-Side Extensions (CSEs) can be found on client devices and are necessary for them to properly process the Group Policies assigned to them.

ref: http://blogs.technet.com/b/musings_of_a_technical_tam/archive/2012/02/13/understanding-the-structure-of-a-group-policy-object.aspx

2) GPO processing (LSDOU):

ref: http://blogs.technet.com/b/musings_of_a_technical_tam/archive/2012/02/15/understanding-the-structure-of-a-group-policy-object-part-2.aspx

GPO management with PowerShell:

Powershell – how to translate a GPO GUID to Name?

Get-GPO -GUID “{AD7E3746-7135-496B-A1F5-B5B11871F96F}”

Powershell – how list all GPOs?

Get-GPO -all

Get-GPo -all | ft -autosize

Get-GPO -all | out-gridview

Powershell – how many GPOs?

(get-gpo -all).count
203

Powershell – how to translate a GPO Name to GUID?

PS Z:\ADGPO management> get-gpo -all | where {$_.id -like “bd9df1be-3663-4cb4-bb71-35f7e27c691f”} | select id,displayname | ft -autosize

Id                                   DisplayName
—                                   ———–
bd9df1be-3663-4cb4-bb71-35f7e27c691f Corporate-A-All-Settings-Restore