Message

The processing of Group Policy failed because of a system allocation failure. Please ensure the computer is not running low on resources (memory, available disk space). Group Policy processing will be attempted at the next refresh cycle.

Fields

Message

The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed). Look in the details tab for error code and description.

Fields

Message

The processing of Group Policy failed. Windows could not determine the site associated for this computer, which is required for Group Policy processing.

Fields

Message

The processing of Group Policy failed. Windows attempted to retrieve new Group Policy settings for this user or computer. Look in the details tab for error code and description. Windows will automatically retry this operation at the next refresh cycle. Computers joined to the domain must have proper name resolution and network connectivity to a domain controller for discovery of new Group Policy objects and settings. An event will be logged when Group Policy is successful.

Fields

Message

The processing of Group Policy failed. Windows could not determine the role of this computer. Role information (Workgroup, Member Server, or Domain Controller) is required to process Group Policy.

Fields

Message

The processing of Group Policy failed. Windows could not resolve the user name. This could be caused by one of more of the following: 
a) Name Resolution failure on the current domain controller. 
b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).

Fields

Message

The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.

Fields

Message

The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following: 
a) Name Resolution failure on the current domain controller. 
b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).

Fields

Message

The processing of Group Policy failed. Windows attempted to read the file %9 from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following: 
a) Name Resolution/Network Connectivity to the current domain controller. 
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller). 
c) The Distributed File System (DFS) client has been disabled.

Fields

Message

The processing of Group Policy failed. Windows could not evaluate the Windows Management Instrumentation (WMI) filter for the Group Policy object %8. This could be caused by RSOP being disabled  or Windows Management Instrumentation (WMI) service being disabled, stopped, or other WMI errors. Make sure the WMI service is started and the startup type is set to automatic. New Group Policy objects or settings will not process until this event has been resolved.

Fields

Message

The processing of Group Policy was interrupted. Windows prematurely ended the discovery and enforcement of Group Policy settings because the computer was requested to shutdown or the user logged off. Group Policy processing will be attempted next refresh cycle, on the next computer reboot, or the next user logon.

Fields

Message

The processing of Group Policy failed. Windows could not obtain the list of Group Policy objects applicable for this computer or user. View the event details for more information.

Fields

Message

The processing of Group Policy failed. Windows could not search the Active Directory organization unit hierarchy. View the event details for more information.

Fields

Message

Windows failed to apply the %8 settings. %8 settings might have its own log file. Please click on the "More information" link.

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd392562(v=ws.10)

Message

The processing of Group Policy failed. Windows attempted to query the list of Group Policy objects and exceeded the maximum limit (999).

Fields

Message

Windows failed to record Resultant Set of Policy (RSoP) information, which describes the scope of Group Policy objects applied to the computer or user. This could be caused by RSOP being disabled or Windows Management Instrumentation (WMI) service being disabled, stopped, or other WMI errors. Group Policy settings successfully applied to the computer or user; however, management tools may not report accurately.

Fields

Message

Windows failed to record Resultant Set of Policy (RSoP) information, which describes the scope of Group Policy objects applied to the computer or user. This could be caused by Windows Management Instrumentation (WMI) service being disabled, stopped, or other WMI errors. Group Policy settings successfully applied to the computer or user; however, management tools may not report accurately.

Fields

Message

Windows could not record  the Resultant Set of Policy (RSoP) information for the Group Policy extension <%8>. Group Policy settings successfully applied to the computer or user; however, management tools may not report accurately.

Fields

Message

Windows encountered an error while recording Resultant Set of Policy (RSoP) information, which describes the scope of Group Policy objects applied to the computer or user. Group Policy settings successfully applied to the computer or user; however, management tools may not report accurately.

Fields

Message

The processing of Group Policy failed. Windows could not apply the registry-based policy settings for the Group Policy object %8. Group Policy settings will not be resolved until this event is resolved. View the event details for more information on the file name and path that caused the failure.

Fields

Message

The processing of Group Policy failed. Windows could not determine the computer account to enforce Group Policy settings. This may be transient. Group Policy settings, including computer configuration, will not be enforced for this computer.

Fields

Message

The processing of Group Policy failed. Windows could not locate the directory object %8. Group Policy settings will not be enforced until this event is resolved. View the event details for more information on this error.

Fields

Message

Windows was unable to read the Windows Management Instrumentation (WMI) filter information associated with the Group Policy object %8.This may be caused by a deleted WMI Filter defined in the domain that is still in use by Group Policy objects. Group Policy settings for this Group Policy object will not be enforced. Other Group Policy objects may still apply. Windows will attempt to retrieve this information at the next policy cycle. This specific problem may be resolved by identifying all GPOs that reference the WMI filter and removing the references. Contact an administrator if this event recurs for several hours.

Fields

Message

The user account is in a different forest than the computer account. The processing of Group Policy from another forest is not allowed. Group Policy will be processed using Loopback Replace mode. The scope of the user policy settings will be determined by the location of the computer object in Active Directory. The settings will be acquired from the User Configuration of these policies.

Fields

Message

The processing of Group Policy failed. Windows could not determine if the user and computer accounts are in the same forest. Ensure the user domain name matches the name of a trusted domain that resides in the same forest as the computer account.

Fields

Message

The Group Policy Client Side Extension %8 was unable to apply one or more settings because the changes must be processed before system startup or user logon. The system will wait for Group Policy processing to finish completely before the next startup or logon for this user, and this may result in slow startup and boot performance.

Fields

Message

The processing of Group Policy failed because of an internal system error. Please see the Group Policy operational log for the specific error message. An attempt will be made to process Group Policy again at the next refresh cycle.

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc727321(v=ws.10)

Message

Windows was unable to determine whether new Group Policy settings defined by a network administrator should be enforced for this user or computer because this computer's clock is not synchronized with the clock of one of the domain controllers for the domain. Because of this issue, this computer system may not be in compliance with the network administrator?s requirements, and users of this system may not be able to use some functionality on the network. Windows will periodically attempt to retry this operation, and it is possible that either this system or the domain controller will correct the time settings without intervention by an administrator, so the problem will be corrected. 

If this issue persists for more than an hour, checking the local system's clock settings to ensure they are accurate and are synchronized with the clocks on the network's domain controllers is one way to resolve this problem. A network administrator may be required to resolve the issue if correcting the local time settings does not address the problem.

Fields

Message

The processing of Group Policy failed due to an internal error. Please look into the Group Policy operational log for the specific error message. An attempt will be made to process Group Policy again at the next refresh cycle.

Fields

Message

The Group Policy Client Side Extension %3 may have caused the Group Policy Service to terminate unexpectedly. To prevent further failures in the Group Policy Service, this extension has been temporarily disabled until after the next system restart. Group Policy settings managed by this extension may no longer be enforced until the system is restarted. The vendor of this extension should be contacted if this issue recurs.

Fields

Message

The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has successfully processed. If you do not see a success message for several hours, then contact your administrator.

Fields

Example Event

system:
  provider: Microsoft-Windows-GroupPolicy
  guid: AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9
  event_source_name: ''
  event_id: 1129
  version: 0
  level: 2
  task: 0
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2022-04-07T16:57:06.407574+00:00'
  event_record_id: 1271
  correlation:
    ActivityID: B87F014A-16D6-49C2-8037-BBF193577383
  execution:
    process_id: 1352
    thread_id: 2676
  channel: System
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: S-1-5-21-2121334350-1110938707-2888912545-500
event_data:
  SupportInfo1: 1
  SupportInfo2: 2044
  ProcessingMode: 1
  ProcessingTimeInMilliseconds: 4078
  ErrorCode: 1222
  ErrorDescription: 'The network is not present or not started. '
message: ''

References

• Microsoft Learn https://learn.microsoft.com/en-us/troubleshoot/windows-server/group-policy/netlogon-event-id-5719-or-group-policy-event-1129
• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

%5 failed. 
	GPO Name : %6
	GPO File System Path : %7
	Script Name: %8

Fields

Message

The Group Policy settings for the computer were processed successfully. There were no changes detected since the last successful processing of Group Policy.

Fields

Example Event

system:
  provider: Microsoft-Windows-GroupPolicy
  guid: AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9
  event_source_name: ''
  event_id: 1500
  version: 0
  level: 4
  task: 0
  opcode: 1
  keywords: 9223372036854775808
  time_created: '2023-11-05T22:44:13.952441+00:00'
  event_record_id: 1973
  correlation:
    ActivityID: 73911CA3-27B1-475D-92EC-CBFA1D10EB35
  execution:
    process_id: 1132
    thread_id: 2268
  channel: System
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  SupportInfo1: 1
  SupportInfo2: 4214
  ProcessingMode: 0
  ProcessingTimeInMilliseconds: 156
  DCName: ''
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

The Group Policy settings for the user were processed successfully. There were no changes detected since the last successful processing of Group Policy.

Fields

Example Event

system:
  provider: Microsoft-Windows-GroupPolicy
  guid: AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9
  event_source_name: ''
  event_id: 1501
  version: 0
  level: 4
  task: 0
  opcode: 1
  keywords: 9223372036854775808
  time_created: '2023-11-05T22:28:54.475787+00:00'
  event_record_id: 1832
  correlation:
    ActivityID: 5D6D5E8D-CE04-46CB-BF83-231A8B295C46
  execution:
    process_id: 1860
    thread_id: 4880
  channel: System
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-21-1992711665-1655669231-58201500-1000
event_data:
  SupportInfo1: 1
  SupportInfo2: 4214
  ProcessingMode: 1
  ProcessingTimeInMilliseconds: 734
  DCName: ''
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

The Group Policy settings for the computer were processed successfully. New settings from %6 Group Policy objects were detected and applied.

Fields

Example Event

system:
  provider: Microsoft-Windows-GroupPolicy
  guid: AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9
  event_source_name: ''
  event_id: 1502
  version: 0
  level: 4
  task: 0
  opcode: 1
  keywords: 9223372036854775808
  time_created: '2023-11-05T23:49:58.052759+00:00'
  event_record_id: 2033
  correlation:
    ActivityID: AA63BEC0-3996-4133-A97D-DB5DB9617FF3
  execution:
    process_id: 8540
    thread_id: 9876
  channel: System
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  SupportInfo1: 1
  SupportInfo2: 4195
  ProcessingMode: 0
  ProcessingTimeInMilliseconds: 906
  DCName: ''
  NumberOfGroupPolicyObjects: 1
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

The Group Policy settings for the user were processed successfully. New settings from %6 Group Policy objects were detected and applied.

Fields

Example Event

system:
  provider: Microsoft-Windows-GroupPolicy
  guid: AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9
  event_source_name: ''
  event_id: 1503
  version: 0
  level: 4
  task: 0
  opcode: 1
  keywords: 9223372036854775808
  time_created: '2022-04-07T17:34:38.149825+00:00'
  event_record_id: 1319
  correlation:
    ActivityID: DCA9073D-A053-4D86-A71A-A22443FB751F
  execution:
    process_id: 1352
    thread_id: 1684
  channel: System
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: S-1-5-21-2121334350-1110938707-2888912545-500
event_data:
  SupportInfo1: 1
  SupportInfo2: 4195
  ProcessingMode: 0
  ProcessingTimeInMilliseconds: 671
  DCName: \\WIN-FPV0DSIC9O6.sigma.fr
  NumberOfGroupPolicyObjects: 1
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

Starting computer boot policy processing for %2. 
Activity id: %1

Fields

Example Event

system:
  provider: Microsoft-Windows-GroupPolicy
  guid: AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9
  event_source_name: ''
  event_id: 4000
  version: 1
  level: 4
  task: 0
  opcode: 1
  keywords: 4611686018427387904
  time_created: '2023-11-05T22:32:17.280621+00:00'
  event_record_id: 479
  correlation:
    ActivityID: 70C9A908-A206-406D-8A5D-D1CA7FEE9E13
  execution:
    process_id: 1132
    thread_id: 1348
  channel: Microsoft-Windows-GroupPolicy/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  PolicyActivityId: 70C9A908-A206-406D-8A5D-D1CA7FEE9E13
  PrincipalSamName: WORKGROUP\WINDEV2310EVAL$
  IsMachine: 1
  IsDomainJoined: false
  IsBackgroundProcessing: false
  IsAsyncProcessing: true
  IsServiceRestart: false
  ReasonForSyncProcessing: 0
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

Starting user logon Policy processing for %2. 
Activity id: %1

Fields

Example Event

system:
  provider: Microsoft-Windows-GroupPolicy
  guid: AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9
  event_source_name: ''
  event_id: 4001
  version: 1
  level: 4
  task: 0
  opcode: 1
  keywords: 4611686018427387904
  time_created: '2023-11-05T22:32:20.905356+00:00'
  event_record_id: 495
  correlation:
    ActivityID: DE67DFB7-B871-42E1-B68C-4175341DA657
  execution:
    process_id: 1132
    thread_id: 3904
  channel: Microsoft-Windows-GroupPolicy/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  PolicyActivityId: DE67DFB7-B871-42E1-B68C-4175341DA657
  PrincipalSamName: WINDEV2310EVAL\User
  IsMachine: 0
  IsDomainJoined: false
  IsBackgroundProcessing: false
  IsAsyncProcessing: true
  IsServiceRestart: false
  ReasonForSyncProcessing: 0
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

Starting policy processing due to network state change for computer %2. 
Activity id: %1

Fields

Message

Starting policy processing due to network state change for user %2. 
Activity id: %1

Fields

Message

Starting manual processing of policy for computer %2. 
Activity id: %1

Fields

Example Event

system:
  provider: Microsoft-Windows-GroupPolicy
  guid: AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9
  event_source_name: ''
  event_id: 4004
  version: 1
  level: 4
  task: 0
  opcode: 1
  keywords: 4611686018427387904
  time_created: '2023-11-05T23:49:57.126023+00:00'
  event_record_id: 1152
  correlation:
    ActivityID: AA63BEC0-3996-4133-A97D-DB5DB9617FF3
  execution:
    process_id: 8540
    thread_id: 9876
  channel: Microsoft-Windows-GroupPolicy/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  PolicyActivityId: AA63BEC0-3996-4133-A97D-DB5DB9617FF3
  PrincipalSamName: WORKGROUP\WINDEV2310EVAL$
  IsMachine: 1
  IsDomainJoined: false
  IsBackgroundProcessing: true
  IsAsyncProcessing: false
  IsServiceRestart: false
  ReasonForSyncProcessing: 0
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

Starting manual processing of policy for user %2. 
Activity id: %1

Fields

Example Event

system:
  provider: Microsoft-Windows-GroupPolicy
  guid: AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9
  event_source_name: ''
  event_id: 4005
  version: 1
  level: 4
  task: 0
  opcode: 1
  keywords: 4611686018427387904
  time_created: '2022-04-07T17:34:37.483672+00:00'
  event_record_id: 835
  correlation:
    ActivityID: DCA9073D-A053-4D86-A71A-A22443FB751F
  execution:
    process_id: 1352
    thread_id: 1684
  channel: Microsoft-Windows-GroupPolicy/Operational
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: S-1-5-18
event_data:
  PolicyActivityId: DCA9073D-A053-4D86-A71A-A22443FB751F
  PrincipalSamName: SIGMA\Administrator
  IsMachine: 0
  IsDomainJoined: true
  IsBackgroundProcessing: true
  IsAsyncProcessing: false
  IsServiceRestart: false
  ReasonForSyncProcessing: 0
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

Starting periodic policy processing for computer %2. 
Activity id: %1

Fields

Example Event

system:
  provider: Microsoft-Windows-GroupPolicy
  guid: AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9
  event_source_name: ''
  event_id: 4006
  version: 1
  level: 4
  task: 0
  opcode: 1
  keywords: 4611686018427387904
  time_created: '2022-04-07T17:39:37.484458+00:00'
  event_record_id: 866
  correlation:
    ActivityID: 2CF6CF52-0A34-47C3-987B-53FCBD5B6234
  execution:
    process_id: 1352
    thread_id: 4040
  channel: Microsoft-Windows-GroupPolicy/Operational
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: S-1-5-18
event_data:
  PolicyActivityId: 2CF6CF52-0A34-47C3-987B-53FCBD5B6234
  PrincipalSamName: SIGMA\WIN-FPV0DSIC9O6$
  IsMachine: 1
  IsDomainJoined: true
  IsBackgroundProcessing: true
  IsAsyncProcessing: false
  IsServiceRestart: false
  ReasonForSyncProcessing: 0
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

Starting periodic policy processing for user %2. 
Activity id: %1

Fields

Message

Starting %2 Extension Processing. 

List of applicable Group Policy objects: (%5)

%6

Fields

Example Event

system:
  provider: Microsoft-Windows-GroupPolicy
  guid: AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9
  event_source_name: ''
  event_id: 4016
  version: 0
  level: 4
  task: 0
  opcode: 1
  keywords: 4611686018427387904
  time_created: '2023-11-05T23:49:57.906053+00:00'
  event_record_id: 1165
  correlation:
    ActivityID: AA63BEC0-3996-4133-A97D-DB5DB9617FF3
  execution:
    process_id: 8540
    thread_id: 9876
  channel: Microsoft-Windows-GroupPolicy/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  CSEExtensionId: F3CCC681-B74C-4060-9F26-CD84525DCA2A
  CSEExtensionName: Audit Policy Configuration
  IsExtensionAsyncProcessing: true
  IsGPOListChanged: true
  GPOListStatusString: '%%4102'
  DescriptionString: 'Local Group Policy

    '
  ApplicableGPOList: <GPO ID="Local Group Policy"><Name>Local Group Policy</Name></GPO>
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

%1 
%2

Fields

Example Event

system:
  provider: Microsoft-Windows-GroupPolicy
  guid: AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9
  event_source_name: ''
  event_id: 4017
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 4611686018427387904
  time_created: '2022-04-07T17:39:37.551157+00:00'
  event_record_id: 886
  correlation:
    ActivityID: 2CF6CF52-0A34-47C3-987B-53FCBD5B6234
  execution:
    process_id: 1352
    thread_id: 4040
  channel: Microsoft-Windows-GroupPolicy/Operational
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: S-1-5-18
event_data:
  OperationDescription: '%%4131'
  Parameter: \\sigma.fr\sysvol\sigma.fr\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\gpt.ini
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

Starting %2 for %1.

Fields

Message

Running script name %1.

Fields

Message

Group Policy Service started.

Fields

Example Event

system:
  provider: Microsoft-Windows-GroupPolicy
  guid: AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9
  event_source_name: ''
  event_id: 4115
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 4611686018427387904
  time_created: '2023-11-06T06:25:40.340217+00:00'
  event_record_id: 415
  correlation: {}
  execution:
    process_id: 2412
    thread_id: 2516
  channel: Microsoft-Windows-GroupPolicy/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  IsServiceRestart: false
  IsMachineBoot: true
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

Started the Group Policy service initialization phase.

Example Event

system:
  provider: Microsoft-Windows-GroupPolicy
  guid: AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9
  event_source_name: ''
  event_id: 4116
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 4611686018427387904
  time_created: '2023-11-06T06:25:40.239882+00:00'
  event_record_id: 414
  correlation: {}
  execution:
    process_id: 2412
    thread_id: 2516
  channel: Microsoft-Windows-GroupPolicy/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data: {}
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

Group Policy Session started.

Fields

Example Event

system:
  provider: Microsoft-Windows-GroupPolicy
  guid: AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9
  event_source_name: ''
  event_id: 4117
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 4611686018427387904
  time_created: '2023-11-06T02:02:23.115992+00:00'
  event_record_id: 1272
  correlation: {}
  execution:
    process_id: 21104
    thread_id: 4724
  channel: Microsoft-Windows-GroupPolicy/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  IsMachine: false
  IsBackgroundProcessing: true
  IsAsyncProcessing: false
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

Group Policy receiving applicable GPOs from the domain controller.

Fields

Example Event

system:
  provider: Microsoft-Windows-GroupPolicy
  guid: AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9
  event_source_name: ''
  event_id: 4126
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 4611686018427387904
  time_created: '2023-11-05T23:49:57.214177+00:00'
  event_record_id: 1155
  correlation:
    ActivityID: AA63BEC0-3996-4133-A97D-DB5DB9617FF3
  execution:
    process_id: 8540
    thread_id: 9876
  channel: Microsoft-Windows-GroupPolicy/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  IsMachine: true
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

Starting to save policies to the local datastore.

Fields

Message

Starting to load policies from the local datastore.

Fields

Message

Starting the first WMI query for the policy.

Fields

Message

Starting to download policies.

Fields

Example Event

system:
  provider: Microsoft-Windows-GroupPolicy
  guid: AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9
  event_source_name: ''
  event_id: 4257
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 4611686018427387904
  time_created: '2022-04-07T17:39:37.495445+00:00'
  event_record_id: 882
  correlation:
    ActivityID: 2CF6CF52-0A34-47C3-987B-53FCBD5B6234
  execution:
    process_id: 1352
    thread_id: 4040
  channel: Microsoft-Windows-GroupPolicy/Operational
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: S-1-5-18
event_data:
  IsMachine: true
  IsBackgroundProcessing: true
  IsAsyncProcessing: true
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

Group Policy is trying to discover the Domain Controller information.

Example Event

system:
  provider: Microsoft-Windows-GroupPolicy
  guid: AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9
  event_source_name: ''
  event_id: 4326
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 4611686018427387904
  time_created: '2022-04-07T17:39:37.485405+00:00'
  event_record_id: 872
  correlation:
    ActivityID: 2CF6CF52-0A34-47C3-987B-53FCBD5B6234
  execution:
    process_id: 1352
    thread_id: 4040
  channel: Microsoft-Windows-GroupPolicy/Operational
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: S-1-5-18
event_data: {}
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

Completed %3 Extension Processing in %1 milliseconds.

Fields

Example Event

system:
  provider: Microsoft-Windows-GroupPolicy
  guid: AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9
  event_source_name: ''
  event_id: 5016
  version: 0
  level: 4
  task: 0
  opcode: 2
  keywords: 4611686018427387904
  time_created: '2023-11-05T23:49:58.046318+00:00'
  event_record_id: 1166
  correlation:
    ActivityID: AA63BEC0-3996-4133-A97D-DB5DB9617FF3
  execution:
    process_id: 8540
    thread_id: 9876
  channel: Microsoft-Windows-GroupPolicy/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  CSEElaspedTimeInMilliSeconds: 140
  ErrorCode: 2147483658
  CSEExtensionName: Audit Policy Configuration
  CSEExtensionId: F3CCC681-B74C-4060-9F26-CD84525DCA2A
message: ''