Troubleshooting GPO

Q: How do I turn on loggin on GPO application?

A: Use Registry Editor to add the following registry value (or modify it, if the value already exists):

Key: HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogon
Value: UserEnvDebugLevel
Value Type: REG_DWORD
Value Data: 10002 (Hexadecimal)

UserEnvDebugLevel can have the following values:

NONE 0x00000000
NORMAL 0x00000001
VERBOSE 0x00000002
LOGFILE 0x00010000
DEBUGGER 0x00020000

The default value is NORMAL|LOGFILE (0x00010001).

Note To disable logging, select NONE (where the value is 0X00000000).

You can also combine the values. For example, you can combine VERBOSE 0x00000002 and LOGFILE 0x00010000 to get 0x00010002. So if UserEnvDebugLevel is set with a value of 0x00010002, this turns on both LOGFILE and VERBOSE. Combining these values is the same as using an OR statement:

0x00010000 OR 0x00000002 = 0x00010002

Note If you set UserEnvDebugLevel = 0x00030002, the most verbose details are logged in the Userenv.log file.

The log file is written to the %Systemroot%DebugUserModeUserenv.log file. If the Userenv.log exists and is greater than 300 KB, the existing file will be renamed to Userenv.bak, and a new log file created.

Source: Microsoft KB

Leave a Reply