none
How to retrieve GPO logs from client workstations or laptops

    Question

  • Hi,

    I've a domain created and have created various test GPO policies. Can I ask on a client such as Windows VISTA, how do I know what are the new policies that are applied after it does a GPupdate /force.

    Which mean is there anyway, I can retrieve the GPO logs that was made to the particular client.
    Monday, March 30, 2009 7:25 AM

Answers

All replies

  • Hi Kim Seng,

    You can try a number of ways (aside from programatically querying the relevant event viewer logs/entries).

    You can use gpresult from the CLI.

    GPRESULT
    http://technet.microsoft.com/en-us/library/bb490915.aspx
    http://technet.microsoft.com/en-us/library/cc733160.aspx

    You can also use RSoP.msc (Resultant Set of Policies). In fact, you can query the RSoP namespace itself (refer to the link below).

    RSoP
    http://technet.microsoft.com/en-us/library/cc778752.aspx
    http://technet.microsoft.com/en-us/library/cc758010.aspx
    http://support.microsoft.com/kb/323276

    Scripting RSoP
    http://www.microsoft.com/technet/scriptcenter/topics/gp/rsop.mspx

    And since you are using Vista, I suggest you look into GPOLogView, a command-line troubleshooting tool that you can use to dump Group Policy–related events logged in the System Event Log channel and the Group Policy Operational Event Log channel. I rely heavily on this tool whenever I do GPO-related troubleshooting.

    Troubleshoot GPO with GPOLogView
    http://technet.microsoft.com/en-us/magazine/dd315424.aspx

    Regards,

    Salvador Manaois III
    MCITP | Enterprise & Server Administrator
    MCSE MCSA MCTS(x5) CIWA C|EH
    My Blog: Bytes and Badz
    Monday, March 30, 2009 8:34 AM
    Moderator
  • Hi Salvado,

    Thanks for the replied. Before I started on this forum, I have actually tried the above and did not achieve what I want.

    Before is my simplied situation.

    1) AD Administrator mades changes to the GPO and after a while all my clients are updated with the new GPO.

    2) But I want to know what is the delta or changes that was made between the new and old Group Policies. As AD Administrator is from another company and does not want to tell me. Is there any way to know what new changes have been applied. The changes can be policies that have been deleted or added.

    Any advice? 

    Monday, March 30, 2009 9:11 AM
  • Hi Kim Seng,

    I suggest you look into GPOLogView as you can group related GPO events (for example, you can group these via unique Activity IDs). You can also try using the tool in "monitor mode" (-m switch, iirc) which allows you to watch what is actually processed and run when you execute a gpupdate on a computer.

    Regards,

    Salvador Manaois III
    MCITP | Enterprise & Server Administrator
    MCSE MCSA MCTS(x5) CIWA C|EH
    My Blog: Bytes and Badz
    Tuesday, March 31, 2009 4:51 AM
    Moderator
  • Hi Salvador,

    I have enabled the command below
    gplogview.exe -m > gplog.txt

    And make some changes to the domain group policy. And did a gpupdate /force on the client

    And as expected, the only information that I have seen is "List of applicable Group Policy Objects: (Changes were detected).
    FYI, this is found on the event viewer logs.

    What I need to know is what is the changes that was made?  
    Tuesday, March 31, 2009 5:56 AM
  • Hi Kim Seng,

    Try using the -a switch to filter the events by Activity ID (all events triggerred by a GPO update/gpupdate).

    Regards,

    Salvador Manaois III
    MCITP | Enterprise & Server Administrator
    MCSE MCSA MCTS(x5) CIWA C|EH
    My Blog: Bytes and Badz
    Tuesday, March 31, 2009 8:44 AM
    Moderator