Group Policy Troubleshooting
Logs to look at on a server/workstation
From event viewer
Application log – look for messages from scecli and messages with 1085
Applications and Services Logs\Microsoft\Windows\GroupPolicy\Operational
On the Disk
C:\windows\security\logs\winlogon.log
Things to look at on the dc’s
To troubleshoot a specific gp object, open the object and look at the Details tab. There you will find the Unique ID. This is the sid you can find to look at the policy file on sysvol. So, for example, for the Default policy you will see something like this
The ID is {171DAE52-FF50-4ECE-820C-3194E1A7D2C0}
On sysvol you can find it like this:
For this particular gp object I was trying to find the renaming of the local admin user and it was at machine\microsoft\windows nt\secedit\gpttmpl.inf
In both the machine and user directories there is a script directory where the scripts for local policy will be located.
Looking at GP objects we determined that GP was not replicating. In windows 2008 r2 DFSR is the mechanism for doing this.
Repairing DFSR
http://support.microsoft.com/kb/312862
For DFSR
Dfsrdiag.exe -- it was no help
On domain controllers look at
C:\windows\debug\dfsr00080.log or whatever the current one is
We had a missing AD object DFSR-GlobalSettings errors
Which lead us to
And then to Information about the frs to dfs replication migration
http://technet.microsoft.com/en-us/library/dd640019(WS.10).aspx
and the dfsrmig.exe command to do the migration.