Find out which Group Policies take forever to complete at boot
In Windows 7, one good way of looking at all aspects of Group Policy is via the client's event log.
- Open the event log (eventvwr.exe from the search/command box).
- Open Event Viewer (Local)
- Open Applications and Services Logs
- Open Microsoft
- Open Windows
- Open GroupPolicy and click on Operational
Events 4016 and 5016 show the start and end of processing of groups of policies, including how long it took to apply each one in the end event.
Event 5312 shows policies that will be applied, and 5317 shows policies that are explicitly filtered out.
Events 8000 and 8001 respectively show the total processing time for computer boot and user boot GP processing, and 8006 and 8007 show the same for interim/periodic GP processing.
One technique is documented here:
How to enable GPO logging on windows 7 /2008 R2
https://blogs.technet.com/b/csstwplatform/archive/2010/11/09/how-to-enable-gpo-logging-on-windows-7-2008-r2.aspx
It is similar to the User Environment Debug Logging in Windows XP/2003.
Click Start , click Run , type regedit , and then click OK .
Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion
On the Edit menu, point to New , and then click Key .
Type Diagnostics , and then press ENTER.
Right-click the Diagnostics subkey, point to New , and then click DWORD Value .
Type GPSvcDebugLevel , and then press ENTER.
Right-click GPSvcDebugLevel , and then click Modify .
In the Value data box, type 0x30002 , and then click OK .
Exit Registry Editor.
At a command prompt, type the following command, and then press ENTER:
gpupdate /force
View the Gpsvc.log file in the following folder:
%windir%\debug\usermode
If you are wondering what the hex numbers are on the left, those are thread id's.
If you have multiple domain controllers and a distributed network, pay attention to the domain controller that the GPO is processed from. It's not unusual to pull a GPO from a domain controller that is different from the domain controller that performed authentication, or a domain controller on the other side of the planet.
I have also found that Microsoft Network Monitor 3.4 provides useful information. Typically you would be able to observe each GPO as it is being processed, with a timestamp.