GPO troubleshooting guide

The Group Policy Results Wizard inside the GPMC produces a Resultant Set of Policy report, the same data gpresult returns, but with a graphical view that lets you drill into specific settings and see which GPO won each conflict.

1. On a machine with the GPMC installed, open it with gpmc.msc.
2. Expand the forest and domain tree, right-click Group Policy Results, and select Group Policy Results Wizard.
3. Click Next, then select the target computer (either "This computer" or "Another computer" by name).
4. Click Next, select the target user, and click Next again.
5. Review the summary and click Next to generate the report, then Finish.

The report opens in three tabs:

• Summary lists applied GPOs, denied GPOs (with the reason), and component status.
• Details shows every setting that took effect and which GPO it came from.
• Policy Events surfaces the Group Policy events from the target machine, so you can correlate failures with specific Event IDs in one place.

This is the most useful native tool for diagnosing precedence and conflict problems, especially when a setting does apply, but from a different GPO than expected.

When the Group Policy Service cannot apply a GPO, it logs the reason in the Event Viewer. Two logs are worth checking on the client.

1. Open the Event Viewer (eventvwr.msc).
2. Navigate to Windows Logs > System and filter by source Group Policy. This is the legacy log.
3. Then navigate to Applications and Services Logs > Microsoft > Windows > GroupPolicy > Operational. This is the modern, detailed log and is usually where the real cause shows up.

Identifying the Group Policy processing instance

Before diving into the operational log, identify the specific instance of Group Policy processing that failed:

1. In Event Viewer, open Windows Logs > System and double-click the Group Policy warning or error event.
2. Select the Details tab and enable Friendly view. Expand the System node.
3. Copy the ActivityID value (without the curly braces). You will use it to create a filtered view.

Creating a custom view for a specific GP instance

Computers, especially Terminal Services hosts, may run multiple simultaneous GP processing instances. Filter the operational log to isolate the one you are troubleshooting:

1. In Event Viewer, right-click Custom Views and select Create Custom View.
2. Go to the XML tab, check Edit query manually, and paste the following query, replacing INSERT ACTIVITY ID HERE with the ActivityID you copied:
Click to copy script
<QueryList> <Query["ff","parent","va","fw_i","type"]">Microsoft-Windows-GroupPolicy/Operational""> <Select> *[System/Correlation/@ActivityID='{INSERT ACTIVITY ID HERE}'] </Select> </Query></QueryList>
3. Save the view with a meaningful name and review the filtered events.

Important: Each gpupdate /force run generates a new ActivityID. Update your custom view after every forced refresh.

Common Event IDs and what they mean

If gpresult says the GPO was filtered out, or if the GPMC results show it was never evaluated, the cause is almost always in the GPO's scope configuration. Walk through these four checks in the GPMC.

1. Is the GPO linked to the right container?

   Select the GPO in the GPMC and review the Scope tab. The Links section lists every OU, site, or domain it is linked to. If the target user or computer is not inside one of those containers, the GPO will not apply.

2. Is the link enabled?

   A link can be disabled without unlinking the GPO. In the Group Policy Inheritance view on the target OU, a disabled link appears greyed out. Right-click the link and confirm Link Enabled is checked.

3. Does security filtering allow the target?

   The Security Filtering list on the Scope tab controls which users and computers the GPO applies to. The target object must be a direct or transitive member of one of the listed principals. Authenticated Users is the safe default; if you removed it and replaced it with a specific group, make sure the target is in that group. You can verify permissions with:

   Click to copy script

   Get-GPPermission -Name "GPOName" -All
4. Is a WMI filter excluding the target?

   A WMI filter on the Scope tab silently excludes machines whose WMI query returns false. Test the filter on the target machine with PowerShell:

   Click to copy script

   Get-WmiObject -Query "<your WMI filter query>"

   If the query returns nothing on the affected machine, the GPO is being filtered out. Update the query or remove the filter if it is no longer needed.

5. Is inheritance being blocked or overridden?

   On the target OU's Group Policy Inheritance tab, check for a blue exclamation mark icon indicating Block Inheritance. A blocked OU ignores all GPOs from parent containers unless the parent GPO is set to Enforced. Conversely, an Enforced GPO on a parent OU overrides Block Inheritance and any conflicting GPOs lower down.

Most user and computer settings refresh automatically every 90 to 120 minutes, but some only apply at logon or startup. After making a change, refresh the policy manually before drawing conclusions.

1. Open Command Prompt as administrator on the target machine.
2. Run gpupdate /force.
3. If the change involves folder redirection, software installation, or drive maps, log off and back on (for user settings) or reboot (for computer settings). These settings apply only at logon or startup and are not picked up by a foreground refresh.
4. Re-run gpresult /r and confirm the GPO now appears under Applied Group Policy Objects.

When Event Viewer events do not provide enough detail, enable Group Policy Service debug logging. This creates a gpsvc.log file with a full trace of GP processing.

Warning: Verbose logging can reduce performance and consume significant disk space. Enable it only when necessary, and disable it when finished.

1. Open Registry Editor and navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion.
2. Create a new key named Diagnostics.
3. Inside Diagnostics, create a new DWORD (32-bit) Value named GPSvcDebugLevel and set its value to 30002 (Hexadecimal).
4. Exit Registry Editor and run gpupdate /force.
5. Review the log at %windir%\debug\usermode\gpsvc.log.

   Note: Create the usermode folder under %windir%\debug if it does not already exist.

6. When finished, disable logging:
   Click to copy script

   reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics" /v GPSvcDebugLevel /t REG_DWORD /d "0x00000000" /f

When you are planning a GPO change but have not deployed it yet, or when you need to predict how a user moving between OUs will be affected, the Group Policy Modeling Wizard in the GPMC simulates the result without touching production.

1. In the GPMC, right-click Group Policy Modeling and select Group Policy Modeling Wizard.
2. Choose the domain controller to run the simulation on.
3. Specify the simulated user, computer, security groups, WMI filters, and target OU.
4. Review the summary and run the simulation.

The resulting report mirrors the Group Policy Results report but is based on the hypothetical conditions you entered. It is the safest way to validate a planned policy change before linking it in production.