The debug log Userenv.log (%Systemroot%\Debug\UserMode\Userenv.log) could be used to thoroughly analyze the application of GPO in Windows XP and Windows Server 2003. Using this Group Policy logging, you could track the order and time of applying group policies, find the policies that slow down the booting and solve other GPO related problems.
In Windows 7 (or higher), Microsoft developers decided to stop using Userenv.log as the main debugging tool of GPO processing. The majority of events related to the Group Policy are now available in the Event Viewer (eventvwr) log in Applications and Services Logs –> Microsoft -> Windows -> Group Policy -> Operational. 
The Event 5312 contains the list of policies to be applied and the Event 5317 lists the filtered policies.
However, the events contained in this log are not as detailed as Userenv.log file in Windows XP.
You can also enable a similar debug log of Group Policy Client Service (GPSVC) in Windows 7. This undocumented feature of enabling an extended log of GPO usage is also available in Windows 8, 10 and Windows Server 2008/2012.
You can enable the GPO debug logging in the registry. Create a DWORD parameter with the name GPSvcDebugLevel and the value 00030002 in the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Diagnostics. (Probably, you will have to create the Diagnostics branch manually)
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Diagnostics" /v GPSvcDebugLevel /t REG_DWORD /d 0x00030002 /f
Update your policy settings using the command gpupdate /force (or restart the computer if you want to debug the policies applied when booting).
After the restart, Group Policy Client service will record the extended debug information to the file gpsvc.log (WINDIR%\debug\usermode\gpsvc.log)
For reference, here is an piece of gpsvc.log:
..........
GPSVC(3a8.ce8) 12:24:32:494 MaxTimeToWaitForNetwork: 120000ms
GPSVC(3a8.ce8) 12:24:32:494 TimeRemainingToWaitForNetwork: 0ms
GPSVC(3a8.ce8) 12:24:32:494 UserPolicy: Waiting for machine policy wait for network event with timeout 0 ms
GPSVC(3a8.ce8) 12:24:32:541 GPLockPolicySection: Sid = (null), dwTimeout = 30000, dwFlags = 65538
GPSVC(3a8.ce8) 12:24:32:541 LockPolicySection called for user
GPSVC(3a8.ce8) 12:24:32:541 Sync Lock Called
GPSVC(3a8.ce8) 12:24:32:541 Reader Lock got immediately. m_cReadersInLock : 1
GPSVC(3a8.ce8) 12:24:32:541 Lock taken successfully
GPSVC(3a8.ce8) 12:24:32:541 UnLockPolicySection called for user
GPSVC(3a8.ce8) 12:24:32:541 Found the caller in the ReaderHavingLock List. Removing it...
GPSVC(3a8.ce8) 12:24:32:541 Setting lock state as notLocked
GPSVC(3a8.ce8) 12:24:32:541 UnLocked successfully
GPSVC(3a8.ce8) 12:24:32:556 Opened Existing Registry key
GPSVC(3a8.ce8) 12:24:32:556 UncPath :'\\CORP.DOMAIN.COM\SYSVOL'
............
The manual analysis of gpsvc.log is quite time-consuming. A free tool Policy Reporter (http://www.sysprosoft.com/policyreporter.shtml) can make it easier and represent the GPO debug log as a tree grouped by time.
The data from gpsvc.log and the results obtained using GPResult can be used to perform a detailed analysis of applying GPO on the clients.
1 comment
This is a great tip, thanks!
But note that the value of GPSvcDebugLevel should be set to 0x00030002 (HEX)