Microsoft-Windows-GroupPolicy
177 events across 2 channels
Event ID 1002 — The processing of Group Policy failed because of a system allocation failure.
Event ID 1006 — The processing of Group Policy failed.
Message #
Fields #
| Name | Description |
|---|---|
SupportInfo1 UInt32 | — |
SupportInfo2 UInt32 | — |
ProcessingMode UInt32 | — |
ProcessingTimeInMilliseconds UInt32 | — |
ErrorCode UInt32 | — |
ErrorDescription UnicodeString | — |
DCName UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-GroupPolicy",
"guid": "AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9",
"event_source_name": "",
"event_id": 1006,
"version": 0,
"level": 2,
"task": 0,
"opcode": 1,
"keywords": 9223372036854775808,
"time_created": "2026-02-18T05:29:01.333607+00:00",
"event_record_id": 1666,
"correlation": {
"ActivityID": "29E96F9C-8911-49C3-99BC-065B1FD48E8E"
},
"execution": {
"process_id": 3396,
"thread_id": 2868
},
"channel": "System",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"SupportInfo1": 1,
"SupportInfo2": 6168,
"ProcessingMode": 0,
"ProcessingTimeInMilliseconds": 156,
"ErrorCode": 82,
"ErrorDescription": "Local Error",
"DCName": ""
},
"message": ""
}
Event ID 1007 — The processing of Group Policy failed.
Description
The processing of Group Policy failed. Windows could not determine the site associated for this computer, which is required for Group Policy processing.
Message #
Fields #
| Name | Description |
|---|---|
SupportInfo1 UInt32 | — |
SupportInfo2 UInt32 | — |
ProcessingMode UInt32 | — |
ProcessingTimeInMilliseconds UInt32 | — |
ErrorCode UInt32 | — |
ErrorDescription UnicodeString | — |
DCName UnicodeString | — |
Event ID 1030 — The processing of Group Policy failed.
Message #
Fields #
| Name | Description |
|---|---|
SupportInfo1 UInt32 | — |
SupportInfo2 UInt32 | — |
ProcessingMode UInt32 | — |
ProcessingTimeInMilliseconds UInt32 | — |
ErrorCode UInt32 | — |
ErrorDescription UnicodeString | — |
DCName UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-GroupPolicy",
"guid": "AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9",
"event_source_name": "",
"event_id": 1030,
"version": 0,
"level": 2,
"task": 0,
"opcode": 1,
"keywords": 9223372036854775808,
"time_created": "2026-02-12T18:17:33.749779+00:00",
"event_record_id": 1267,
"correlation": {
"ActivityID": "B725C8D9-F151-4EBC-ADFE-2827DEDA46D8"
},
"execution": {
"process_id": 4092,
"thread_id": 12968
},
"channel": "System",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1104"
}
},
"event_data": {
"SupportInfo1": 1,
"SupportInfo2": 3018,
"ProcessingMode": 0,
"ProcessingTimeInMilliseconds": 31,
"ErrorCode": 8341,
"ErrorDescription": "A directory service error has occurred. ",
"DCName": "\\\\LAB-DC01.ludus.domain"
},
"message": ""
}
Event ID 1052 — The processing of Group Policy failed.
Description
The processing of Group Policy failed. Windows could not determine the role of this computer. Role information (Workgroup, Member Server, or Domain Controller) is required to process Group Policy.
Message #
Fields #
| Name | Description |
|---|---|
SupportInfo1 UInt32 | — |
SupportInfo2 UInt32 | — |
ProcessingMode UInt32 | — |
ProcessingTimeInMilliseconds UInt32 | — |
ErrorCode UInt32 | — |
ErrorDescription UnicodeString | — |
Event ID 1053 — The processing of Group Policy failed.
Description
The processing of Group Policy failed. Windows could not resolve the user name. This could be caused by one of more of the following.
Message #
Fields #
| Name | Description |
|---|---|
SupportInfo1 UInt32 | — |
SupportInfo2 UInt32 | — |
ProcessingMode UInt32 | — |
ProcessingTimeInMilliseconds UInt32 | — |
ErrorCode UInt32 | — |
ErrorDescription UnicodeString | — |
Event ID 1054 — The processing of Group Policy failed.
Event ID 1055 — The processing of Group Policy failed.
Description
The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following.
Message #
Fields #
| Name | Description |
|---|---|
SupportInfo1 UInt32 | — |
SupportInfo2 UInt32 | — |
ProcessingMode UInt32 | — |
ProcessingTimeInMilliseconds UInt32 | — |
ErrorCode UInt32 | — |
ErrorDescription UnicodeString | — |
Event ID 1058 — The processing of Group Policy failed.
Event ID 1065 — The processing of Group Policy failed.
Event ID 1068 — The processing of Group Policy was interrupted.
Event ID 1079 — The processing of Group Policy failed.
Description
The processing of Group Policy failed. Windows could not obtain the list of Group Policy objects applicable for this computer or user. View the event details for more information.
Message #
Fields #
| Name | Description |
|---|---|
SupportInfo1 UInt32 | — |
SupportInfo2 UInt32 | — |
ProcessingMode UInt32 | — |
ProcessingTimeInMilliseconds UInt32 | — |
ErrorCode UInt32 | — |
ErrorDescription UnicodeString | — |
DCName UnicodeString | — |
Event ID 1080 — The processing of Group Policy failed.
Description
The processing of Group Policy failed. Windows could not search the Active Directory organization unit hierarchy. View the event details for more information.
Message #
Fields #
| Name | Description |
|---|---|
SupportInfo1 UInt32 | — |
SupportInfo2 UInt32 | — |
ProcessingMode UInt32 | — |
ProcessingTimeInMilliseconds UInt32 | — |
ErrorCode UInt32 | — |
ErrorDescription UnicodeString | — |
DCName UnicodeString | — |
Event ID 1085 — Windows failed to apply the ExtensionName settings.
Description
Windows failed to apply the ExtensionName settings. ExtensionName settings might have its own log file. Please click on the "More information" link.
Message #
Fields #
| Name | Description |
|---|---|
SupportInfo1 UInt32 | — |
SupportInfo2 UInt32 | — |
ProcessingMode UInt32 | — |
ProcessingTimeInMilliseconds UInt32 | — |
ErrorCode UInt32 | — |
ErrorDescription UnicodeString | — |
DCName UnicodeString | — |
ExtensionName UnicodeString | — |
ExtensionId UnicodeString | — |
References #
Event ID 1088 — The processing of Group Policy failed.
Description
The processing of Group Policy failed. Windows attempted to query the list of Group Policy objects and exceeded the maximum limit (999).
Message #
Fields #
| Name | Description |
|---|---|
SupportInfo1 UInt32 | — |
SupportInfo2 UInt32 | — |
ProcessingMode UInt32 | — |
ProcessingTimeInMilliseconds UInt32 | — |
ErrorCode UInt32 | — |
ErrorDescription UnicodeString | — |
DCName UnicodeString | — |
Event ID 1089 — Windows failed to record Resultant Set of Policy (RSoP) information, which describes the scope of Group Policy objects applied to the computer or u...
Event ID 1090 — Windows failed to record Resultant Set of Policy (RSoP) information, which describes the scope of Group Policy objects applied to the computer or u...
Event ID 1091 — Windows could not record the Resultant Set of Policy (RSoP) information for the Group Policy extension <.
Event ID 1095 — Windows encountered an error while recording Resultant Set of Policy (RSoP) information, which describes the scope of Group Policy objects applied ...
Event ID 1096 — The processing of Group Policy failed.
Event ID 1097 — The processing of Group Policy failed.
Event ID 1101 — The processing of Group Policy failed.
Event ID 1104 — Windows was unable to read the Windows Management Instrumentation (WMI) filter information associated with the Group Policy object GPOCNName.
Event ID 1109 — The user account is in a different forest than the computer account.
Event ID 1110 — The processing of Group Policy failed.
Event ID 1112 — The Group Policy Client Side Extension ExtensionName was unable to apply one or more settings because the changes must be processed before system startup or u...
Event ID 1125 — The processing of Group Policy failed because of an internal system error.
Event ID 1126 — Windows was unable to determine whether new Group Policy settings defined by a network administrator should be enforced for this user or computer b...
Message #
Fields #
| Name | Description |
|---|---|
SupportInfo1 UInt32 | — |
SupportInfo2 UInt32 | — |
ProcessingMode UInt32 | — |
ProcessingTimeInMilliseconds UInt32 | — |
ErrorCode UInt32 | — |
ErrorDescription UnicodeString | — |
DCName UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-GroupPolicy",
"guid": "AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9",
"event_source_name": "",
"event_id": 1126,
"version": 0,
"level": 2,
"task": 0,
"opcode": 1,
"keywords": 9223372036854775808,
"time_created": "2026-02-15T19:48:55.427011+00:00",
"event_record_id": 1406,
"correlation": {
"ActivityID": "D02B1188-929A-4E97-B63D-48B93E963B5B"
},
"execution": {
"process_id": 6076,
"thread_id": 10716
},
"channel": "System",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"SupportInfo1": 5,
"SupportInfo2": 347,
"ProcessingMode": 0,
"ProcessingTimeInMilliseconds": 47,
"ErrorCode": 2148074276,
"ErrorDescription": "The clocks on the client and server machines are skewed. ",
"DCName": "\\\\LAB-DC01.ludus.domain"
},
"message": ""
}
Event ID 1127 — The processing of Group Policy failed due to an internal error.
Event ID 1128 — The Group Policy Client Side Extension ExtensionName may have caused the Group Policy Service to terminate unexpectedly.
Event ID 1129 — The processing of Group Policy failed because of lack of network connectivity to a domain controller.
#Message #
Fields #
| Name | Description |
|---|---|
SupportInfo1 UInt32 | — |
SupportInfo2 UInt32 | — |
ProcessingMode UInt32 | — |
ProcessingTimeInMilliseconds UInt32 | — |
ErrorCode UInt32 | — |
ErrorDescription UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-GroupPolicy",
"guid": "AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9",
"event_source_name": "",
"event_id": 1129,
"version": 0,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2022-04-07T16:57:06.407574+00:00",
"event_record_id": 1271,
"correlation": {
"ActivityID": "B87F014A-16D6-49C2-8037-BBF193577383"
},
"execution": {
"process_id": 1352,
"thread_id": 2676
},
"channel": "System",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
}
},
"event_data": {
"SupportInfo1": 1,
"SupportInfo2": 2044,
"ProcessingMode": 1,
"ProcessingTimeInMilliseconds": 4078,
"ErrorCode": 1222,
"ErrorDescription": "The network is not present or not started. "
},
"message": ""
}
References #
- Microsoft Learn https://learn.microsoft.com/en-us/troubleshoot/windows-server/group-policy/netlogon-event-id-5719-or-group-policy-event-1129
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 1130 — SupportInfo2 failed.
Event ID 1500 — The Group Policy settings for the computer were processed successfully.
#Description
The Group Policy settings for the computer were processed successfully. There were no changes detected since the last successful processing of Group Policy.
Message #
Fields #
| Name | Description |
|---|---|
SupportInfo1 UInt32 | — |
SupportInfo2 UInt32 | — |
ProcessingMode UInt32 | — |
ProcessingTimeInMilliseconds UInt32 | — |
DCName UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-GroupPolicy",
"guid": "AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9",
"event_source_name": "",
"event_id": 1500,
"version": 0,
"level": 4,
"task": 0,
"opcode": 1,
"keywords": 9223372036854775808,
"time_created": "2023-11-05T22:44:13.952441+00:00",
"event_record_id": 1973,
"correlation": {
"ActivityID": "73911CA3-27B1-475D-92EC-CBFA1D10EB35"
},
"execution": {
"process_id": 1132,
"thread_id": 2268
},
"channel": "System",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"SupportInfo1": 1,
"SupportInfo2": 4214,
"ProcessingMode": 0,
"ProcessingTimeInMilliseconds": 156,
"DCName": ""
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 1501 — The Group Policy settings for the user were processed successfully.
#Description
The Group Policy settings for the user were processed successfully. There were no changes detected since the last successful processing of Group Policy.
Message #
Fields #
| Name | Description |
|---|---|
SupportInfo1 UInt32 | — |
SupportInfo2 UInt32 | — |
ProcessingMode UInt32 | — |
ProcessingTimeInMilliseconds UInt32 | — |
DCName UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-GroupPolicy",
"guid": "AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9",
"event_source_name": "",
"event_id": 1501,
"version": 0,
"level": 4,
"task": 0,
"opcode": 1,
"keywords": 9223372036854775808,
"time_created": "2023-11-05T22:28:54.475787+00:00",
"event_record_id": 1832,
"correlation": {
"ActivityID": "5D6D5E8D-CE04-46CB-BF83-231A8B295C46"
},
"execution": {
"process_id": 1860,
"thread_id": 4880
},
"channel": "System",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-21-1992711665-1655669231-58201500-1000"
}
},
"event_data": {
"SupportInfo1": 1,
"SupportInfo2": 4214,
"ProcessingMode": 1,
"ProcessingTimeInMilliseconds": 734,
"DCName": ""
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 1502 — The Group Policy settings for the computer were processed successfully.
#Description
The Group Policy settings for the computer were processed successfully. New settings from NumberOfGroupPolicyObjects Group Policy objects were detected and applied.
Message #
Fields #
| Name | Description |
|---|---|
SupportInfo1 UInt32 | — |
SupportInfo2 UInt32 | — |
ProcessingMode UInt32 | — |
ProcessingTimeInMilliseconds UInt32 | — |
DCName UnicodeString | — |
NumberOfGroupPolicyObjects UInt32 | Number of Group Policy objects that were processed |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-GroupPolicy",
"guid": "AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9",
"event_source_name": "",
"event_id": 1502,
"version": 0,
"level": 4,
"task": 0,
"opcode": 1,
"keywords": 9223372036854775808,
"time_created": "2023-11-05T23:49:58.052759+00:00",
"event_record_id": 2033,
"correlation": {
"ActivityID": "AA63BEC0-3996-4133-A97D-DB5DB9617FF3"
},
"execution": {
"process_id": 8540,
"thread_id": 9876
},
"channel": "System",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"SupportInfo1": 1,
"SupportInfo2": 4195,
"ProcessingMode": 0,
"ProcessingTimeInMilliseconds": 906,
"DCName": "",
"NumberOfGroupPolicyObjects": 1
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
- Windows Forensic Artifacts https://github.com/Psmths/windows-forensic-artifacts/blob/main/group-policy/evtx-1502-computer-gpo-success.md
Event ID 1503 — The Group Policy settings for the user were processed successfully.
#Description
The Group Policy settings for the user were processed successfully. New settings from NumberOfGroupPolicyObjects Group Policy objects were detected and applied.
Message #
Fields #
| Name | Description |
|---|---|
SupportInfo1 UInt32 | — |
SupportInfo2 UInt32 | — |
ProcessingMode UInt32 | — |
ProcessingTimeInMilliseconds UInt32 | — |
DCName UnicodeString | — |
NumberOfGroupPolicyObjects UInt32 | Number of Group Policy objects that were processed |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-GroupPolicy",
"guid": "AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9",
"event_source_name": "",
"event_id": 1503,
"version": 0,
"level": 4,
"task": 0,
"opcode": 1,
"keywords": 9223372036854775808,
"time_created": "2022-04-07T17:34:38.149825+00:00",
"event_record_id": 1319,
"correlation": {
"ActivityID": "DCA9073D-A053-4D86-A71A-A22443FB751F"
},
"execution": {
"process_id": 1352,
"thread_id": 1684
},
"channel": "System",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
}
},
"event_data": {
"SupportInfo1": 1,
"SupportInfo2": 4195,
"ProcessingMode": 0,
"ProcessingTimeInMilliseconds": 671,
"DCName": "\\\\WIN-FPV0DSIC9O6.lab.local",
"NumberOfGroupPolicyObjects": 1
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
- Windows Forensic Artifacts https://github.com/Psmths/windows-forensic-artifacts/blob/main/group-policy/evtx-1503-user-gpo-success.md
Event ID 4000 — Starting computer boot policy processing for PrincipalSamName.
#Description
Starting computer boot policy processing for PrincipalSamName.
Message #
Fields #
| Name | Description |
|---|---|
PolicyActivityId GUID | Activity id. |
PrincipalSamName UnicodeString | SAM name of the computer account for which GPO processing was started |
IsMachine UInt32 | — |
IsDomainJoined Boolean | — |
IsBackgroundProcessing Boolean | — |
IsAsyncProcessing Boolean | — |
IsServiceRestart Boolean | — |
ReasonForSyncProcessing UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-GroupPolicy",
"guid": "AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9",
"event_source_name": "",
"event_id": 4000,
"version": 1,
"level": 4,
"task": 0,
"opcode": 1,
"keywords": 4611686018427387904,
"time_created": "2023-11-05T22:32:17.280621+00:00",
"event_record_id": 479,
"correlation": {
"ActivityID": "70C9A908-A206-406D-8A5D-D1CA7FEE9E13"
},
"execution": {
"process_id": 1132,
"thread_id": 1348
},
"channel": "Microsoft-Windows-GroupPolicy/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"PolicyActivityId": "70C9A908-A206-406D-8A5D-D1CA7FEE9E13",
"PrincipalSamName": "WORKGROUP\\WINDEV2310EVAL$",
"IsMachine": 1,
"IsDomainJoined": false,
"IsBackgroundProcessing": false,
"IsAsyncProcessing": true,
"IsServiceRestart": false,
"ReasonForSyncProcessing": 0
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
- Windows Forensic Artifacts https://github.com/Psmths/windows-forensic-artifacts/blob/main/group-policy/evtx-4000-computer-boot-gpo-processing-start.md
Event ID 4001 — Starting user logon Policy processing for PrincipalSamName.
#Description
Starting user logon Policy processing for PrincipalSamName.
Message #
Fields #
| Name | Description |
|---|---|
PolicyActivityId GUID | Activity id. |
PrincipalSamName UnicodeString | SAM name of the user account for which GPO processing was started |
IsMachine UInt32 | — |
IsDomainJoined Boolean | — |
IsBackgroundProcessing Boolean | — |
IsAsyncProcessing Boolean | — |
IsServiceRestart Boolean | — |
ReasonForSyncProcessing UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-GroupPolicy",
"guid": "AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9",
"event_source_name": "",
"event_id": 4001,
"version": 1,
"level": 4,
"task": 0,
"opcode": 1,
"keywords": 4611686018427387904,
"time_created": "2023-11-05T22:32:20.905356+00:00",
"event_record_id": 495,
"correlation": {
"ActivityID": "DE67DFB7-B871-42E1-B68C-4175341DA657"
},
"execution": {
"process_id": 1132,
"thread_id": 3904
},
"channel": "Microsoft-Windows-GroupPolicy/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"PolicyActivityId": "DE67DFB7-B871-42E1-B68C-4175341DA657",
"PrincipalSamName": "WINDEV2310EVAL\\User",
"IsMachine": 0,
"IsDomainJoined": false,
"IsBackgroundProcessing": false,
"IsAsyncProcessing": true,
"IsServiceRestart": false,
"ReasonForSyncProcessing": 0
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
- Windows Forensic Artifacts https://github.com/Psmths/windows-forensic-artifacts/blob/main/group-policy/evtx-4001-user-logon-gpo-processing-start.md
Event ID 4002 — Starting policy processing due to network state change for computer PolicyActivityId.
Description
Starting policy processing due to network state change for computer PolicyActivityId.
Message #
Fields #
| Name | Description |
|---|---|
Activity_id | — |
PolicyActivityId GUID | — |
PrincipalSamName UnicodeString | — |
IsMachine UInt32 | — |
IsDomainJoined Boolean | — |
IsBackgroundProcessing Boolean | — |
IsAsyncProcessing Boolean | — |
IsServiceRestart Boolean | — |
ReasonForSyncProcessing UInt32 | — |
Event ID 4003 — Starting policy processing due to network state change for user PolicyActivityId.
Description
Starting policy processing due to network state change for user PolicyActivityId.
Message #
Fields #
| Name | Description |
|---|---|
Activity_id | — |
PolicyActivityId GUID | — |
PrincipalSamName UnicodeString | — |
IsMachine UInt32 | — |
IsDomainJoined Boolean | — |
IsBackgroundProcessing Boolean | — |
IsAsyncProcessing Boolean | — |
IsServiceRestart Boolean | — |
ReasonForSyncProcessing UInt32 | — |
Event ID 4004 — Starting manual processing of policy for computer PrincipalSamName.
#Description
Starting manual processing of policy for computer PrincipalSamName.
Message #
Fields #
| Name | Description |
|---|---|
PolicyActivityId GUID | Activity id. |
PrincipalSamName UnicodeString | SAM name of the computer account for which GPO processing was started |
IsMachine UInt32 | — |
IsDomainJoined Boolean | — |
IsBackgroundProcessing Boolean | — |
IsAsyncProcessing Boolean | — |
IsServiceRestart Boolean | — |
ReasonForSyncProcessing UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-GroupPolicy",
"guid": "AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9",
"event_source_name": "",
"event_id": 4004,
"version": 1,
"level": 4,
"task": 0,
"opcode": 1,
"keywords": 4611686018427387904,
"time_created": "2023-11-05T23:49:57.126023+00:00",
"event_record_id": 1152,
"correlation": {
"ActivityID": "AA63BEC0-3996-4133-A97D-DB5DB9617FF3"
},
"execution": {
"process_id": 8540,
"thread_id": 9876
},
"channel": "Microsoft-Windows-GroupPolicy/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"PolicyActivityId": "AA63BEC0-3996-4133-A97D-DB5DB9617FF3",
"PrincipalSamName": "WORKGROUP\\WINDEV2310EVAL$",
"IsMachine": 1,
"IsDomainJoined": false,
"IsBackgroundProcessing": true,
"IsAsyncProcessing": false,
"IsServiceRestart": false,
"ReasonForSyncProcessing": 0
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
- Windows Forensic Artifacts https://github.com/Psmths/windows-forensic-artifacts/blob/main/group-policy/evtx-4004-computer-manual-gpo-processing-start.md
Event ID 4005 — Starting manual processing of policy for user PrincipalSamName.
#Description
Starting manual processing of policy for user PrincipalSamName.
Message #
Fields #
| Name | Description |
|---|---|
PolicyActivityId GUID | Activity id. |
PrincipalSamName UnicodeString | SAM name of the user account for which GPO processing was started |
IsMachine UInt32 | — |
IsDomainJoined Boolean | — |
IsBackgroundProcessing Boolean | — |
IsAsyncProcessing Boolean | — |
IsServiceRestart Boolean | — |
ReasonForSyncProcessing UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-GroupPolicy",
"guid": "AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9",
"event_source_name": "",
"event_id": 4005,
"version": 1,
"level": 4,
"task": 0,
"opcode": 1,
"keywords": 4611686018427387904,
"time_created": "2022-04-07T17:34:37.483672+00:00",
"event_record_id": 835,
"correlation": {
"ActivityID": "DCA9073D-A053-4D86-A71A-A22443FB751F"
},
"execution": {
"process_id": 1352,
"thread_id": 1684
},
"channel": "Microsoft-Windows-GroupPolicy/Operational",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"PolicyActivityId": "DCA9073D-A053-4D86-A71A-A22443FB751F",
"PrincipalSamName": "SIGMA\\Administrator",
"IsMachine": 0,
"IsDomainJoined": true,
"IsBackgroundProcessing": true,
"IsAsyncProcessing": false,
"IsServiceRestart": false,
"ReasonForSyncProcessing": 0
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
- Windows Forensic Artifacts https://github.com/Psmths/windows-forensic-artifacts/blob/main/group-policy/evtx-4005-user-manual-gpo-processing-start.md
Event ID 4006 — Starting periodic policy processing for computer PrincipalSamName.
#Description
Starting periodic policy processing for computer PrincipalSamName.
Message #
Fields #
| Name | Description |
|---|---|
PolicyActivityId GUID | Activity id. |
PrincipalSamName UnicodeString | — |
IsMachine UInt32 | — |
IsDomainJoined Boolean | — |
IsBackgroundProcessing Boolean | — |
IsAsyncProcessing Boolean | — |
IsServiceRestart Boolean | — |
ReasonForSyncProcessing UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-GroupPolicy",
"guid": "AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9",
"event_source_name": "",
"event_id": 4006,
"version": 1,
"level": 4,
"task": 0,
"opcode": 1,
"keywords": 4611686018427387904,
"time_created": "2022-04-07T17:39:37.484458+00:00",
"event_record_id": 866,
"correlation": {
"ActivityID": "2CF6CF52-0A34-47C3-987B-53FCBD5B6234"
},
"execution": {
"process_id": 1352,
"thread_id": 4040
},
"channel": "Microsoft-Windows-GroupPolicy/Operational",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"PolicyActivityId": "2CF6CF52-0A34-47C3-987B-53FCBD5B6234",
"PrincipalSamName": "SIGMA\\WIN-FPV0DSIC9O6$",
"IsMachine": 1,
"IsDomainJoined": true,
"IsBackgroundProcessing": true,
"IsAsyncProcessing": false,
"IsServiceRestart": false,
"ReasonForSyncProcessing": 0
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4007 — Starting periodic policy processing for user PrincipalSamName.
Description
Starting periodic policy processing for user PrincipalSamName.
Message #
Fields #
| Name | Description |
|---|---|
PolicyActivityId GUID | — |
PrincipalSamName UnicodeString | — |
IsMachine UInt32 | — |
IsDomainJoined Boolean | — |
IsBackgroundProcessing Boolean | — |
IsAsyncProcessing Boolean | — |
IsServiceRestart Boolean | — |
ReasonForSyncProcessing UInt32 | — |
Activity_id | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-GroupPolicy",
"guid": "AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9",
"event_source_name": "",
"event_id": 4007,
"version": 1,
"level": 4,
"task": 0,
"opcode": 1,
"keywords": 4611686018427387904,
"time_created": "2026-03-14T01:40:41.526525+00:00",
"event_record_id": 179683,
"correlation": {
"ActivityID": "261F3C8C-5577-42F1-99D9-89D7A88E5B00"
},
"execution": {
"process_id": 1112,
"thread_id": 6604
},
"channel": "Microsoft-Windows-GroupPolicy/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"PolicyActivityId": "261F3C8C-5577-42F1-99D9-89D7A88E5B00",
"PrincipalSamName": "ludus\\domainadmin",
"IsMachine": 0,
"IsDomainJoined": true,
"IsBackgroundProcessing": true,
"IsAsyncProcessing": false,
"IsServiceRestart": false,
"ReasonForSyncProcessing": 0
},
"message": ""
}
Event ID 4016 — Starting CSEExtensionName Extension Processing.
#Description
Starting CSEExtensionName Extension Processing.
Message #
Fields #
| Name | Description |
|---|---|
CSEExtensionId GUID | — |
CSEExtensionName UnicodeString | — |
IsExtensionAsyncProcessing Boolean | — |
IsGPOListChanged Boolean | — |
GPOListStatusString UnicodeString | — |
DescriptionString UnicodeString | — |
ApplicableGPOList UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-GroupPolicy",
"guid": "AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9",
"event_source_name": "",
"event_id": 4016,
"version": 0,
"level": 4,
"task": 0,
"opcode": 1,
"keywords": 4611686018427387904,
"time_created": "2023-11-05T23:49:57.906053+00:00",
"event_record_id": 1165,
"correlation": {
"ActivityID": "AA63BEC0-3996-4133-A97D-DB5DB9617FF3"
},
"execution": {
"process_id": 8540,
"thread_id": 9876
},
"channel": "Microsoft-Windows-GroupPolicy/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"CSEExtensionId": "F3CCC681-B74C-4060-9F26-CD84525DCA2A",
"CSEExtensionName": "Audit Policy Configuration",
"IsExtensionAsyncProcessing": true,
"IsGPOListChanged": true,
"GPOListStatusString": "%%4102",
"DescriptionString": "Local Group Policy\n",
"ApplicableGPOList": "<GPO ID=\"Local Group Policy\"><Name>Local Group Policy</Name></GPO>"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4017 — OperationDescription Parameter.
#Message #
Fields #
| Name | Description |
|---|---|
OperationDescription UnicodeString | — |
Parameter UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-GroupPolicy",
"guid": "AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9",
"event_source_name": "",
"event_id": 4017,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2022-04-07T17:39:37.551157+00:00",
"event_record_id": 886,
"correlation": {
"ActivityID": "2CF6CF52-0A34-47C3-987B-53FCBD5B6234"
},
"execution": {
"process_id": 1352,
"thread_id": 4040
},
"channel": "Microsoft-Windows-GroupPolicy/Operational",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"OperationDescription": "%%4131",
"Parameter": "\\\\lab.local\\sysvol\\lab.local\\Policies\\{6AC1786C-016F-11D2-945F-00C04fB984F9}\\gpt.ini"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4018 — Starting ScriptType for PrincipalSamName.
Event ID 4019 — Running script name ScriptName.
Event ID 4115 — Group Policy Service started.
#Description
Group Policy Service started.
Message #
Fields #
| Name | Description |
|---|---|
IsServiceRestart Boolean | — |
IsMachineBoot Boolean | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-GroupPolicy",
"guid": "AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9",
"event_source_name": "",
"event_id": 4115,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2023-11-06T06:25:40.340217+00:00",
"event_record_id": 415,
"correlation": {},
"execution": {
"process_id": 2412,
"thread_id": 2516
},
"channel": "Microsoft-Windows-GroupPolicy/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"IsServiceRestart": false,
"IsMachineBoot": true
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4116 — Started the Group Policy service initialization phase.
#Description
Started the Group Policy service initialization phase.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-GroupPolicy",
"guid": "AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9",
"event_source_name": "",
"event_id": 4116,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2023-11-06T06:25:40.239882+00:00",
"event_record_id": 414,
"correlation": {},
"execution": {
"process_id": 2412,
"thread_id": 2516
},
"channel": "Microsoft-Windows-GroupPolicy/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4117 — Group Policy Session started.
#Description
Group Policy Session started.
Message #
Fields #
| Name | Description |
|---|---|
IsMachine Boolean | — |
IsBackgroundProcessing Boolean | — |
IsAsyncProcessing Boolean | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-GroupPolicy",
"guid": "AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9",
"event_source_name": "",
"event_id": 4117,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2023-11-06T02:02:23.115992+00:00",
"event_record_id": 1272,
"correlation": {},
"execution": {
"process_id": 21104,
"thread_id": 4724
},
"channel": "Microsoft-Windows-GroupPolicy/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"IsMachine": false,
"IsBackgroundProcessing": true,
"IsAsyncProcessing": false
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4126 — Group Policy receiving applicable GPOs from the domain controller.
#Description
Group Policy receiving applicable GPOs from the domain controller.
Message #
Fields #
| Name | Description |
|---|---|
IsMachine Boolean | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-GroupPolicy",
"guid": "AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9",
"event_source_name": "",
"event_id": 4126,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2023-11-05T23:49:57.214177+00:00",
"event_record_id": 1155,
"correlation": {
"ActivityID": "AA63BEC0-3996-4133-A97D-DB5DB9617FF3"
},
"execution": {
"process_id": 8540,
"thread_id": 9876
},
"channel": "Microsoft-Windows-GroupPolicy/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"IsMachine": true
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4216 — Starting to save policies to the local datastore.
Description
Starting to save policies to the local datastore.
Message #
Fields #
| Name | Description |
|---|---|
IsMachine Boolean | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-GroupPolicy",
"guid": "AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9",
"event_source_name": "",
"event_id": 4216,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2026-03-09T00:48:47.640241+00:00",
"event_record_id": 5485,
"correlation": {
"ActivityID": "9197D599-AFC9-4584-AEA0-64AEB7628F03"
},
"execution": {
"process_id": 2268,
"thread_id": 8268
},
"channel": "Microsoft-Windows-GroupPolicy/Operational",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1104"
}
},
"event_data": {
"IsMachine": false
},
"message": ""
}
Event ID 4217 — Starting to load policies from the local datastore.
Event ID 4218 — Starting the first WMI query for the policy.
Event ID 4257 — Starting to download policies.
#Description
Starting to download policies.
Message #
Fields #
| Name | Description |
|---|---|
IsMachine Boolean | — |
IsBackgroundProcessing Boolean | — |
IsAsyncProcessing Boolean | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-GroupPolicy",
"guid": "AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9",
"event_source_name": "",
"event_id": 4257,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2022-04-07T17:39:37.495445+00:00",
"event_record_id": 882,
"correlation": {
"ActivityID": "2CF6CF52-0A34-47C3-987B-53FCBD5B6234"
},
"execution": {
"process_id": 1352,
"thread_id": 4040
},
"channel": "Microsoft-Windows-GroupPolicy/Operational",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"IsMachine": true,
"IsBackgroundProcessing": true,
"IsAsyncProcessing": true
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4326 — Group Policy is trying to discover the Domain Controller information.
#Description
Group Policy is trying to discover the Domain Controller information.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-GroupPolicy",
"guid": "AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9",
"event_source_name": "",
"event_id": 4326,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2022-04-07T17:39:37.485405+00:00",
"event_record_id": 872,
"correlation": {
"ActivityID": "2CF6CF52-0A34-47C3-987B-53FCBD5B6234"
},
"execution": {
"process_id": 1352,
"thread_id": 4040
},
"channel": "Microsoft-Windows-GroupPolicy/Operational",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 5016 — Completed CSEExtensionName Extension Processing in CSEElaspedTimeInMilliSeconds milliseconds.
#Description
Completed CSEExtensionName Extension Processing in CSEElaspedTimeInMilliSeconds milliseconds.
Message #
Fields #
| Name | Description |
|---|---|
CSEElaspedTimeInMilliSeconds UInt32 | — |
ErrorCode UInt32 | — |
CSEExtensionName UnicodeString | — |
CSEExtensionId GUID | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-GroupPolicy",
"guid": "AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9",
"event_source_name": "",
"event_id": 5016,
"version": 0,
"level": 4,
"task": 0,
"opcode": 2,
"keywords": 4611686018427387904,
"time_created": "2023-11-05T23:49:58.046318+00:00",
"event_record_id": 1166,
"correlation": {
"ActivityID": "AA63BEC0-3996-4133-A97D-DB5DB9617FF3"
},
"execution": {
"process_id": 8540,
"thread_id": 9876
},
"channel": "Microsoft-Windows-GroupPolicy/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"CSEElaspedTimeInMilliSeconds": 140,
"ErrorCode": 2147483658,
"CSEExtensionName": "Audit Policy Configuration",
"CSEExtensionId": "F3CCC681-B74C-4060-9F26-CD84525DCA2A"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 5017 — OperationDescription Parameter The call completed in OperationElaspedTimeInMilliSeconds milliseconds.
#Message #
Fields #
| Name | Description |
|---|---|
OperationElaspedTimeInMilliSeconds UInt32 | — |
ErrorCode UInt32 | — |
OperationDescription UnicodeString | — |
Parameter UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-GroupPolicy",
"guid": "AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9",
"event_source_name": "",
"event_id": 5017,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2022-04-07T17:39:37.553922+00:00",
"event_record_id": 887,
"correlation": {
"ActivityID": "2CF6CF52-0A34-47C3-987B-53FCBD5B6234"
},
"execution": {
"process_id": 1352,
"thread_id": 4040
},
"channel": "Microsoft-Windows-GroupPolicy/Operational",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"OperationElaspedTimeInMilliSeconds": 0,
"ErrorCode": 0,
"OperationDescription": "%%4132",
"Parameter": "\\\\lab.local\\sysvol\\lab.local\\Policies\\{6AC1786C-016F-11D2-945F-00C04fB984F9}\\gpt.ini"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 5018 — Completed ScriptType for PrincipalSamName in ScriptElaspedTimeInSeconds seconds.
Event ID 5019 — Completed ScriptName in ScriptElaspedTimeInSeconds seconds.
Event ID 5115 — Group Policy Service stopped.
#Description
Group Policy Service stopped.
Message #
Fields #
| Name | Description |
|---|---|
IsServiceRestart Boolean | — |
IsMachineBoot Boolean | — |
GpsvcTimeElapsedInMilliseconds UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-GroupPolicy",
"guid": "AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9",
"event_source_name": "",
"event_id": 5115,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2023-11-05T22:31:34.542622+00:00",
"event_record_id": 468,
"correlation": {},
"execution": {
"process_id": 1860,
"thread_id": 1836
},
"channel": "Microsoft-Windows-GroupPolicy/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"IsServiceRestart": false,
"IsMachineBoot": true,
"GpsvcTimeElapsedInMilliseconds": 175484
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 5116 — Successfully completed the Group Policy Service initialization phase.
#Description
Successfully completed the Group Policy Service initialization phase.
Message #
Fields #
| Name | Description |
|---|---|
GpsvcInitTimeElapsedInMilliseconds UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-GroupPolicy",
"guid": "AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9",
"event_source_name": "",
"event_id": 5116,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2023-11-06T06:25:40.434301+00:00",
"event_record_id": 416,
"correlation": {},
"execution": {
"process_id": 2412,
"thread_id": 2548
},
"channel": "Microsoft-Windows-GroupPolicy/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"GpsvcInitTimeElapsedInMilliseconds": 203
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 5117 — Group policy session completed successfully.
#Description
Group policy session completed successfully.
Message #
Fields #
| Name | Description |
|---|---|
IsMachine Boolean | — |
SessionTimeElapsedInMilliseconds UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-GroupPolicy",
"guid": "AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9",
"event_source_name": "",
"event_id": 5117,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2023-11-06T02:02:23.611150+00:00",
"event_record_id": 1279,
"correlation": {
"ActivityID": "30469375-F951-41D9-8DD5-460652667F6C"
},
"execution": {
"process_id": 21104,
"thread_id": 18128
},
"channel": "Microsoft-Windows-GroupPolicy/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"IsMachine": true,
"SessionTimeElapsedInMilliseconds": 719
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 5126 — Group Policy successfully got applicable GPOs from the domain controller.
#Description
Group Policy successfully got applicable GPOs from the domain controller.
Message #
Fields #
| Name | Description |
|---|---|
IsMachine Boolean | — |
IsBackgroundProcessing Boolean | — |
IsAsyncProcessing Boolean | — |
NumberOfGPOsDownloaded UInt32 | — |
NumberOfGPOsApplicable UInt32 | — |
GPODownloadTimeElapsedInMilliseconds UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-GroupPolicy",
"guid": "AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9",
"event_source_name": "",
"event_id": 5126,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2023-11-05T23:49:57.224158+00:00",
"event_record_id": 1157,
"correlation": {
"ActivityID": "AA63BEC0-3996-4133-A97D-DB5DB9617FF3"
},
"execution": {
"process_id": 8540,
"thread_id": 9876
},
"channel": "Microsoft-Windows-GroupPolicy/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"IsMachine": true,
"IsBackgroundProcessing": true,
"IsAsyncProcessing": false,
"NumberOfGPOsDownloaded": 1,
"NumberOfGPOsApplicable": 0,
"GPODownloadTimeElapsedInMilliseconds": 0
},
"message": ""
}
References #
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5126
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 5216 — Successfully saved policies to the local datastore.
Description
Successfully saved policies to the local datastore.
Message #
Fields #
| Name | Description |
|---|---|
IsMachine Boolean | — |
SaveToCacheTimeElapsedInMilliseconds UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-GroupPolicy",
"guid": "AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9",
"event_source_name": "",
"event_id": 5216,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2026-03-09T00:48:47.649684+00:00",
"event_record_id": 5486,
"correlation": {
"ActivityID": "9197D599-AFC9-4584-AEA0-64AEB7628F03"
},
"execution": {
"process_id": 2268,
"thread_id": 8268
},
"channel": "Microsoft-Windows-GroupPolicy/Operational",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1104"
}
},
"event_data": {
"IsMachine": false,
"SaveToCacheTimeElapsedInMilliseconds": 16
},
"message": ""
}
Event ID 5217 — Successfully loaded policies from the local datastore.
Event ID 5218 — Successfully completed the first WMI query.
Event ID 5257 — Successfully completed downloading policies.
#Description
Successfully completed downloading policies.
Message #
Fields #
| Name | Description |
|---|---|
IsMachine Boolean | — |
PolicyDownloadTimeElapsedInMilliseconds UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-GroupPolicy",
"guid": "AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9",
"event_source_name": "",
"event_id": 5257,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2023-11-05T23:49:57.215760+00:00",
"event_record_id": 1156,
"correlation": {
"ActivityID": "AA63BEC0-3996-4133-A97D-DB5DB9617FF3"
},
"execution": {
"process_id": 8540,
"thread_id": 9876
},
"channel": "Microsoft-Windows-GroupPolicy/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"IsMachine": true,
"PolicyDownloadTimeElapsedInMilliseconds": 4681812
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 5308 — Domain Controller details.
#Description
Domain Controller details.
Message #
Fields #
| Name | Description |
|---|---|
DCName UnicodeString | [Domain Controller details] Domain Controller Name. |
DCIPAddress UnicodeString | [Domain Controller details] Domain Controller IP Address. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-GroupPolicy",
"guid": "AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9",
"event_source_name": "",
"event_id": 5308,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2022-04-07T17:39:37.488998+00:00",
"event_record_id": 876,
"correlation": {
"ActivityID": "2CF6CF52-0A34-47C3-987B-53FCBD5B6234"
},
"execution": {
"process_id": 1352,
"thread_id": 4040
},
"channel": "Microsoft-Windows-GroupPolicy/Operational",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"DCName": "WIN-FPV0DSIC9O6.lab.local",
"DCIPAddress": "10.0.2.133"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 5309 — Computer details.
#Description
Computer details.
Message #
Fields #
| Name | Description |
|---|---|
MachineRole UInt32 | [Computer details] Computer role. |
NetworkName UnicodeString | [Computer details] Network name. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-GroupPolicy",
"guid": "AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9",
"event_source_name": "",
"event_id": 5309,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2022-04-07T17:39:37.489467+00:00",
"event_record_id": 878,
"correlation": {
"ActivityID": "2CF6CF52-0A34-47C3-987B-53FCBD5B6234"
},
"execution": {
"process_id": 1352,
"thread_id": 4040
},
"channel": "Microsoft-Windows-GroupPolicy/Operational",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"MachineRole": 3,
"NetworkName": "localdomain"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 5310 — Account details.
#Description
Account details.
Message #
Fields #
| Name | Description |
|---|---|
PrincipalCNName UnicodeString | [Account details] Account Name. |
PrincipalDomainName UnicodeString | [Account details] Account Domain Name. |
DCName UnicodeString | [Account details] DC Name. |
DCDomainName UnicodeString | [Account details] DC Domain Name. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-GroupPolicy",
"guid": "AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9",
"event_source_name": "",
"event_id": 5310,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2022-04-07T17:39:37.489469+00:00",
"event_record_id": 879,
"correlation": {
"ActivityID": "2CF6CF52-0A34-47C3-987B-53FCBD5B6234"
},
"execution": {
"process_id": 1352,
"thread_id": 4040
},
"channel": "Microsoft-Windows-GroupPolicy/Operational",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"PrincipalCNName": "CN=WIN-FPV0DSIC9O6,OU=Domain Controllers,DC=sigma,DC=fr",
"PrincipalDomainName": "lab.local",
"DCName": "\\\\WIN-FPV0DSIC9O6.lab.local",
"DCDomainName": "lab.local"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 5311 — The loopback policy processing mode is PolicyProcessingMode.
#Description
The loopback policy processing mode is PolicyProcessingMode.
Message #
Fields #
| Name | Description |
|---|---|
PolicyProcessingMode UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-GroupPolicy",
"guid": "AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9",
"event_source_name": "",
"event_id": 5311,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2023-11-05T23:49:57.213591+00:00",
"event_record_id": 1154,
"correlation": {
"ActivityID": "AA63BEC0-3996-4133-A97D-DB5DB9617FF3"
},
"execution": {
"process_id": 8540,
"thread_id": 9876
},
"channel": "Microsoft-Windows-GroupPolicy/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"PolicyProcessingMode": 0
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 5312 — List of applicable Group Policy objects.
#Description
List of applicable Group Policy objects.
Message #
Fields #
| Name | Description |
|---|---|
DescriptionString UnicodeString | List of applicable Group Policy objects |
GPOInfoList UnicodeString | XML string containing information about the applicable Group Policy objects |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-GroupPolicy",
"guid": "AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9",
"event_source_name": "",
"event_id": 5312,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2023-11-05T23:49:57.225593+00:00",
"event_record_id": 1158,
"correlation": {
"ActivityID": "AA63BEC0-3996-4133-A97D-DB5DB9617FF3"
},
"execution": {
"process_id": 8540,
"thread_id": 9876
},
"channel": "Microsoft-Windows-GroupPolicy/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"DescriptionString": "Local Group Policy\n",
"GPOInfoList": "<GPO ID=\"Local Group Policy\"><Name>Local Group Policy</Name><Version>2621480</Version><SOM>Local</SOM><FSPath>C:\\Windows\\System32\\GroupPolicy\\Machine</FSPath><Extensions>[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{D02B1F72-3407-48AE-BA88-E8213C6761F1}][{F3CCC681-B74C-4060-9F26-CD84525DCA2A}{0F3F3735-573D-9804-99E4-AB2A69BA5FD4}]</Extensions></GPO>"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
- Windows Forensic Artifacts https://github.com/Psmths/windows-forensic-artifacts/blob/main/group-policy/evtx-5312-list-of-gpo.md
Event ID 5313 — The following Group Policy objects were not applicable because they were filtered out.
#Description
The following Group Policy objects were not applicable because they were filtered out.
Message #
Fields #
| Name | Description |
|---|---|
DescriptionString UnicodeString | The following Group Policy objects were not applicable because they were filtered out |
GPOInfoList UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-GroupPolicy",
"guid": "AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9",
"event_source_name": "",
"event_id": 5313,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2023-11-05T23:49:57.225627+00:00",
"event_record_id": 1159,
"correlation": {
"ActivityID": "AA63BEC0-3996-4133-A97D-DB5DB9617FF3"
},
"execution": {
"process_id": 8540,
"thread_id": 9876
},
"channel": "Microsoft-Windows-GroupPolicy/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"DescriptionString": "None",
"GPOInfoList": ""
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 5314 — A LinkDescription link was detected.
Description
A LinkDescription link was detected. The Estimated bandwidth is BandwidthInkbps kbps. The slow link threshold is ThresholdInkbps kbps.
Message #
Fields #
| Name | Description |
|---|---|
BandwidthInkbps UInt32 | — |
IsSlowLink Boolean | — |
ThresholdInkbps UInt32 | — |
PolicyApplicationMode UInt32 | — |
ErrorCode UInt32 | — |
LinkDescription UnicodeString | — |
Event ID 5315 — Next policy processing for PrincipalSamName will be attempted in NextPolicyApplicationTime NextPolicyApplicationTimeUnit.
#Description
Next policy processing for PrincipalSamName will be attempted in NextPolicyApplicationTime NextPolicyApplicationTimeUnit.
Message #
Fields #
| Name | Description |
|---|---|
PrincipalSamName UnicodeString | — |
NextPolicyApplicationTime UInt32 | — |
NextPolicyApplicationTimeUnit UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-GroupPolicy",
"guid": "AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9",
"event_source_name": "",
"event_id": 5315,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2022-04-07T17:39:37.580689+00:00",
"event_record_id": 898,
"correlation": {
"ActivityID": "2CF6CF52-0A34-47C3-987B-53FCBD5B6234"
},
"execution": {
"process_id": 1352,
"thread_id": 4040
},
"channel": "Microsoft-Windows-GroupPolicy/Operational",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"PrincipalSamName": "SIGMA\\WIN-FPV0DSIC9O6$",
"NextPolicyApplicationTime": 5,
"NextPolicyApplicationTimeUnit": "%%4100"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 5320 — InfoDescription.
#Message #
Fields #
| Name | Description |
|---|---|
InfoDescription UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-GroupPolicy",
"guid": "AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9",
"event_source_name": "",
"event_id": 5320,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2023-11-06T06:25:47.222709+00:00",
"event_record_id": 419,
"correlation": {},
"execution": {
"process_id": 2412,
"thread_id": 2548
},
"channel": "Microsoft-Windows-GroupPolicy/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"InfoDescription": "%%4166"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 5321 — InfoDescription Parameter: OperationParameter1.
#Description
InfoDescription Parameter: OperationParameter1.
Message #
Fields #
| Name | Description |
|---|---|
InfoDescription UnicodeString | — |
OperationParameter1 UnicodeString | 1 Parameter. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-GroupPolicy",
"guid": "AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9",
"event_source_name": "",
"event_id": 5321,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2023-11-06T06:25:47.223028+00:00",
"event_record_id": 420,
"correlation": {},
"execution": {
"process_id": 2412,
"thread_id": 2548
},
"channel": "Microsoft-Windows-GroupPolicy/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"InfoDescription": "%%4167",
"OperationParameter1": "9c6b0019-6984-4ded-a867-f9ffb55eb5bf"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 5322 — Group Policy waited for TimeWaitedAtStartup milliseconds for the network subsystem at computer boot.
#Description
Group Policy waited for TimeWaitedAtStartup milliseconds for the network subsystem at computer boot.
Message #
Fields #
| Name | Description |
|---|---|
IsPolicyConfigured Boolean | — |
MaxTimeToWait UInt32 | — |
TimeWaitedAtStartup UInt32 | — |
PrevAvgWaitTimeout UInt32 | — |
NewAvgWaitTimeout UInt32 | — |
DidWaitTimeout Boolean | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-GroupPolicy",
"guid": "AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9",
"event_source_name": "",
"event_id": 5322,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2022-04-07T16:54:16.476862+00:00",
"event_record_id": 500,
"correlation": {},
"execution": {
"process_id": 1352,
"thread_id": 3688
},
"channel": "Microsoft-Windows-GroupPolicy/Operational",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"IsPolicyConfigured": false,
"MaxTimeToWait": 120000,
"TimeWaitedAtStartup": 35110,
"PrevAvgWaitTimeout": 60000,
"NewAvgWaitTimeout": 60000,
"DidWaitTimeout": true
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 5323 — Invalid Error Message.
Description
Invalid Error Message.
Message #
Event ID 5324 — Group Policy received the notification NotificationType from Winlogon for session SessionId.
#Description
Group Policy received the notification NotificationType from Winlogon for session SessionId.
Message #
Fields #
| Name | Description |
|---|---|
NotificationType UInt32 | — |
SessionId UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-GroupPolicy",
"guid": "AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9",
"event_source_name": "",
"event_id": 5324,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2023-11-06T02:02:22.822586+00:00",
"event_record_id": 1268,
"correlation": {},
"execution": {
"process_id": 21104,
"thread_id": 14860
},
"channel": "Microsoft-Windows-GroupPolicy/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"NotificationType": 0,
"SessionId": 0
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 5325 — Group Policy received NotificationType notification from Service Control Manager.
#Description
Group Policy received NotificationType notification from Service Control Manager.
Message #
Fields #
| Name | Description |
|---|---|
NotificationType UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-GroupPolicy",
"guid": "AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9",
"event_source_name": "",
"event_id": 5325,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2023-11-05T22:31:34.541162+00:00",
"event_record_id": 467,
"correlation": {},
"execution": {
"process_id": 1860,
"thread_id": 1864
},
"channel": "Microsoft-Windows-GroupPolicy/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"NotificationType": 0
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 5326 — Group Policy successfully discovered the Domain Controller in DCDiscoveryTimeInMilliSeconds milliseconds.
#Description
Group Policy successfully discovered the Domain Controller in DCDiscoveryTimeInMilliSeconds milliseconds.
Message #
Fields #
| Name | Description |
|---|---|
DCDiscoveryTimeInMilliSeconds UInt32 | — |
ErrorCode UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-GroupPolicy",
"guid": "AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9",
"event_source_name": "",
"event_id": 5326,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2022-04-07T17:39:37.489000+00:00",
"event_record_id": 877,
"correlation": {
"ActivityID": "2CF6CF52-0A34-47C3-987B-53FCBD5B6234"
},
"execution": {
"process_id": 1352,
"thread_id": 4040
},
"channel": "Microsoft-Windows-GroupPolicy/Operational",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"DCDiscoveryTimeInMilliSeconds": 0,
"ErrorCode": 0
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 5327 — Estimated network bandwidth on one of the connections: NetworkBandwidthInKbps kbps.
Event ID 5331 — Service configuration update to standalone was attempted due to the presence of Group Policy client extension UpdateCauseExtensionName that is not part of the operating ...
Description
Service configuration update to standalone was attempted due to the presence of Group Policy client extension UpdateCauseExtensionName that is not part of the operating system and completed with status ErrorCode.
Message #
Fields #
| Name | Description |
|---|---|
UpdateCauseExtensionName UnicodeString | — |
UpdateCauseExtensionId UnicodeString | — |
ErrorCode UInt32 | — |
Event ID 5332 — Group Policy waited for TimeWaitedAtStartup milliseconds for the Direct Access CorpNet connectivity at computer boot.
Event ID 5340 — The Group Policy processing mode is PolicyApplicationMode.
#Description
The Group Policy processing mode is PolicyApplicationMode.
Message #
Fields #
| Name | Description |
|---|---|
PolicyApplicationMode UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-GroupPolicy",
"guid": "AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9",
"event_source_name": "",
"event_id": 5340,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2023-11-05T23:49:57.141137+00:00",
"event_record_id": 1153,
"correlation": {
"ActivityID": "AA63BEC0-3996-4133-A97D-DB5DB9617FF3"
},
"execution": {
"process_id": 8540,
"thread_id": 9876
},
"channel": "Microsoft-Windows-GroupPolicy/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"PolicyApplicationMode": 0
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 5351 — Group policy session returned to winlogon.
#Description
Group policy session returned to winlogon.
Message #
Fields #
| Name | Description |
|---|---|
IsMachine Boolean | — |
WinlogonReturnTimeElapsedInMilliseconds UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-GroupPolicy",
"guid": "AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9",
"event_source_name": "",
"event_id": 5351,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2023-11-06T02:02:22.915005+00:00",
"event_record_id": 1271,
"correlation": {},
"execution": {
"process_id": 21104,
"thread_id": 14860
},
"channel": "Microsoft-Windows-GroupPolicy/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"IsMachine": true,
"WinlogonReturnTimeElapsedInMilliseconds": 0
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 6000 — Invalid Error Message.
Description
Invalid Error Message.
Message #
Event ID 6001 — Invalid Error Message.
Description
Invalid Error Message.
Message #
Event ID 6002 — Invalid Error Message.
Description
Invalid Error Message.
Message #
Event ID 6003 — Invalid Error Message.
Description
Invalid Error Message.
Message #
Event ID 6004 — Invalid Error Message.
Description
Invalid Error Message.
Message #
Event ID 6005 — Invalid Error Message.
Description
Invalid Error Message.
Message #
Event ID 6006 — Invalid Error Message.
Description
Invalid Error Message.
Message #
Event ID 6007 — Invalid Error Message.
Description
Invalid Error Message.
Message #
Event ID 6016 — Completed CSEExtensionName Extension Processing in CSEElaspedTimeInMilliSeconds milliseconds.
Event ID 6017 — Invalid Error Message.
Description
Invalid Error Message.
Message #
Event ID 6018 — Invalid Error Message.
Description
Invalid Error Message.
Message #
Event ID 6019 — Invalid Error Message.
Description
Invalid Error Message.
Message #
Event ID 6033 — Skipped CSEExtensionName Extension based on Group Policy client-side processing rules.
Event ID 6034 — Group Policy changed from synchronous foreground to asynchronous foreground based on slow link detection.
Description
Group Policy changed from synchronous foreground to asynchronous foreground based on slow link detection.
Message #
Event ID 6035 — CSEExtensionName Extension deferred processing until next synchronous foreground.
Event ID 6226 — Invalid Error Message.
Description
Invalid Error Message.
Message #
Event ID 6308 — Invalid Error Message.
Description
Invalid Error Message.
Message #
Event ID 6309 — Invalid Error Message.
Description
Invalid Error Message.
Message #
Event ID 6310 — Invalid Error Message.
Description
Invalid Error Message.
Message #
Event ID 6311 — Invalid Error Message.
Description
Invalid Error Message.
Message #
Event ID 6312 — Invalid Error Message.
Description
Invalid Error Message.
Message #
Event ID 6313 — Invalid Error Message.
Description
Invalid Error Message.
Message #
Event ID 6314 — Group Policy bandwidth estimation failed.
#Description
Group Policy bandwidth estimation failed. Group Policy processing will continue. Assuming LinkDescription link.
Message #
Fields #
| Name | Description |
|---|---|
BandwidthInkbps UInt32 | — |
IsSlowLink Boolean | — |
ThresholdInkbps UInt32 | — |
PolicyApplicationMode UInt32 | — |
ErrorCode UInt32 | — |
LinkDescription UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-GroupPolicy",
"guid": "AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9",
"event_source_name": "",
"event_id": 6314,
"version": 0,
"level": 3,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2022-04-07T17:39:37.507287+00:00",
"event_record_id": 883,
"correlation": {
"ActivityID": "2CF6CF52-0A34-47C3-987B-53FCBD5B6234"
},
"execution": {
"process_id": 1352,
"thread_id": 4040
},
"channel": "Microsoft-Windows-GroupPolicy/Operational",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"BandwidthInkbps": 1,
"IsSlowLink": false,
"ThresholdInkbps": 500,
"PolicyApplicationMode": 0,
"ErrorCode": 1,
"LinkDescription": "%%4113"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 6315 — Invalid Error Message.
Description
Invalid Error Message.
Message #
Event ID 6320 — Warning: Warning Warning code WarningDescription.
Event ID 6321 — Warning: Warning Parameter: WarningDescription : Warning code Parameter.
Event ID 6322 — Invalid Error Message.
Description
Invalid Error Message.
Message #
Event ID 6323 — Group Policy dependency (DisplayName) did not start.
Event ID 6324 — Invalid Error Message.
Description
Invalid Error Message.
Message #
Event ID 6325 — Invalid Error Message.
Description
Invalid Error Message.
Message #
Event ID 6326 — Invalid Error Message.
Description
Invalid Error Message.
Message #
Event ID 6327 — Invalid Error Message.
Description
Invalid Error Message.
Message #
Event ID 6330 — An unfinished invocation of the Group Policy Client Side Extension InfoDescription from a previous instance of the Group Policy Service was detected.
Event ID 6331 — Invalid Error Message.
Event ID 6332 — Invalid Error Message.
Description
Invalid Error Message.
Message #
Event ID 6337 — Group Policy network connection is via Direct Access.
Description
Group Policy network connection is via Direct Access.
Message #
Event ID 6338 — Group Policy Winlogon status reporting has completed.
#Description
Group Policy Winlogon status reporting has completed.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-GroupPolicy",
"guid": "AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9",
"event_source_name": "",
"event_id": 6338,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2023-11-05T22:28:54.477711+00:00",
"event_record_id": 461,
"correlation": {},
"execution": {
"process_id": 1860,
"thread_id": 2032
},
"channel": "Microsoft-Windows-GroupPolicy/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 6339 — Group Policy Winlogon Start Shell handling completed.
#Description
Group Policy Winlogon Start Shell handling completed.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-GroupPolicy",
"guid": "AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9",
"event_source_name": "",
"event_id": 6339,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2023-11-05T22:32:22.754428+00:00",
"event_record_id": 509,
"correlation": {},
"execution": {
"process_id": 1132,
"thread_id": 1332
},
"channel": "Microsoft-Windows-GroupPolicy/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 6341 — A Group Policy setting was used to override the fast/slow link detection.
Description
A Group Policy setting was used to override the fast/slow link detection.
Message #
Event ID 6342 — The network connection is using a WWAN device for connectivity.
Description
The network connection is using a WWAN device for connectivity.
Message #
Event ID 6344 — Group Policy detected a slow link during sync mode processing.
Event ID 6345 — The connection to DC timed out during the Group Policy sync mode process.
Event ID 6346 — Group Policy switched the sync mode process to async mode.
Event ID 7000 — Computer boot policy processing failed for PrincipalSamName in PolicyElaspedTimeInSeconds seconds.
Event ID 7001 — User logon policy processing failed for PrincipalSamName in PolicyElaspedTimeInSeconds seconds.
Event ID 7002 — Policy processing due to network state change failed for computer PrincipalSamName in PolicyElaspedTimeInSeconds seconds.
Event ID 7003 — Policy processing due to network state change failed for user PrincipalSamName in PolicyElaspedTimeInSeconds seconds.
Event ID 7004 — Manual processing of policy failed for computer PrincipalSamName in PolicyElaspedTimeInSeconds seconds.
Event ID 7005 — Manual processing of policy failed for user PrincipalSamName in PolicyElaspedTimeInSeconds seconds.
Event ID 7006 — Periodic policy processing failed for computer PrincipalSamName in PolicyElaspedTimeInSeconds seconds.
Event ID 7007 — Periodic policy processing failed for user PrincipalSamName in PolicyElaspedTimeInSeconds seconds.
Event ID 7016 — Completed CSEExtensionName Extension Processing in CSEElaspedTimeInMilliSeconds milliseconds.
Event ID 7017 — OperationDescription Parameter The call failed after OperationElaspedTimeInMilliSeconds milliseconds.
#Message #
Fields #
| Name | Description |
|---|---|
OperationElaspedTimeInMilliSeconds UInt32 | — |
ErrorCode UInt32 | — |
OperationDescription UnicodeString | — |
Parameter UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-GroupPolicy",
"guid": "AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9",
"event_source_name": "",
"event_id": 7017,
"version": 0,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2022-04-07T16:59:24.588821+00:00",
"event_record_id": 562,
"correlation": {
"ActivityID": "178B5CEF-A5EC-4DF9-951A-EF713A1FE2F6"
},
"execution": {
"process_id": 1352,
"thread_id": 4040
},
"channel": "Microsoft-Windows-GroupPolicy/Operational",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"OperationElaspedTimeInMilliSeconds": 2000,
"ErrorCode": 58,
"OperationDescription": "%%4120",
"Parameter": "WIN-FPV0DSIC9O6.lab.local"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 7018 — Script for PrincipalSamName failed in ScriptElaspedTimeInSeconds seconds.
Event ID 7019 — Invalid Error Message.
Description
Invalid Error Message.
Message #
Event ID 7117 — Group policy session completed with error.
Event ID 7126 — Group Policy could not get applicable GPOs from the domain controller.
Event ID 7216 — Saved policies to the local datastore with error.
Event ID 7217 — Loaded policies from the local datastore with error.
Event ID 7257 — Downloaded policies with error.
Event ID 7308 — Invalid Error Message.
Description
Invalid Error Message.
Message #
Event ID 7309 — Invalid Error Message.
Description
Invalid Error Message.
Message #
Event ID 7310 — Invalid Error Message.
Description
Invalid Error Message.
Message #
Event ID 7311 — Invalid Error Message.
Description
Invalid Error Message.
Message #
Event ID 7312 — Invalid Error Message.
Description
Invalid Error Message.
Message #
Event ID 7313 — Invalid Error Message.
Description
Invalid Error Message.
Message #
Event ID 7314 — Invalid Error Message.
Description
Invalid Error Message.
Message #
Event ID 7315 — Invalid Error Message.
Description
Invalid Error Message.
Message #
Event ID 7320 — Error: ErrorDescription Error code ErrorCode.
#Description
Error: ErrorDescription Error code ErrorCode.
Message #
Fields #
| Name | Description |
|---|---|
ErrorDescription UnicodeString | Error. |
ErrorCode UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-GroupPolicy",
"guid": "AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9",
"event_source_name": "",
"event_id": 7320,
"version": 0,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2022-04-07T16:59:24.590503+00:00",
"event_record_id": 564,
"correlation": {
"ActivityID": "178B5CEF-A5EC-4DF9-951A-EF713A1FE2F6"
},
"execution": {
"process_id": 1352,
"thread_id": 4040
},
"channel": "Microsoft-Windows-GroupPolicy/Operational",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"ErrorDescription": "%%4125",
"ErrorCode": 50
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 7321 — Error: Error Parameter: ErrorDescription : Error code Parameter.
Event ID 7322 — Invalid Error Message.
Description
Invalid Error Message.
Message #
Event ID 7323 — Invalid Error Message.
Description
Invalid Error Message.
Message #
Event ID 7324 — Invalid Error Message.
Description
Invalid Error Message.
Message #
Event ID 7325 — Invalid Error Message.
Description
Invalid Error Message.
Message #
Event ID 7326 — Group Policy failed to discover the Domain Controller details in DCDiscoveryTimeInMilliSeconds milliseconds.
#Description
Group Policy failed to discover the Domain Controller details in DCDiscoveryTimeInMilliSeconds milliseconds.
Message #
Fields #
| Name | Description |
|---|---|
DCDiscoveryTimeInMilliSeconds UInt32 | — |
ErrorCode UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-GroupPolicy",
"guid": "AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9",
"event_source_name": "",
"event_id": 7326,
"version": 0,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2022-04-07T16:59:24.588837+00:00",
"event_record_id": 563,
"correlation": {
"ActivityID": "178B5CEF-A5EC-4DF9-951A-EF713A1FE2F6"
},
"execution": {
"process_id": 1352,
"thread_id": 4040
},
"channel": "Microsoft-Windows-GroupPolicy/Operational",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"DCDiscoveryTimeInMilliSeconds": 4000,
"ErrorCode": 58
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 7327 — Invalid Error Message.
Description
Invalid Error Message.
Message #
Event ID 7331 — Service configuration update to standalone was attempted due to the presence of Group Policy client extension UpdateCauseExtensionName that is not part of the operating ...
Description
Service configuration update to standalone was attempted due to the presence of Group Policy client extension UpdateCauseExtensionName that is not part of the operating system and completed with status ErrorCode.
Message #
Fields #
| Name | Description |
|---|---|
UpdateCauseExtensionName UnicodeString | — |
UpdateCauseExtensionId UnicodeString | — |
ErrorCode UInt32 | — |
Event ID 7332 — Invalid Error Message.
Description
Invalid Error Message.
Message #
Event ID 8000 — Completed computer boot policy processing for PrincipalSamName in PolicyElaspedTimeInSeconds seconds.
#Description
Completed computer boot policy processing for PrincipalSamName in PolicyElaspedTimeInSeconds seconds.
Message #
Fields #
| Name | Description |
|---|---|
PolicyElaspedTimeInSeconds UInt32 | — |
ErrorCode UInt32 | — |
PrincipalSamName UnicodeString | — |
IsMachine UInt32 | — |
IsConnectivityFailure Boolean | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-GroupPolicy",
"guid": "AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9",
"event_source_name": "",
"event_id": 8000,
"version": 1,
"level": 4,
"task": 0,
"opcode": 2,
"keywords": 4611686018427387904,
"time_created": "2023-11-05T22:32:17.445743+00:00",
"event_record_id": 490,
"correlation": {
"ActivityID": "70C9A908-A206-406D-8A5D-D1CA7FEE9E13"
},
"execution": {
"process_id": 1132,
"thread_id": 1348
},
"channel": "Microsoft-Windows-GroupPolicy/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"PolicyElaspedTimeInSeconds": 0,
"ErrorCode": 0,
"PrincipalSamName": "WORKGROUP\\WINDEV2310EVAL$",
"IsMachine": 1,
"IsConnectivityFailure": false
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 8001 — Completed user logon policy processing for PrincipalSamName in PolicyElaspedTimeInSeconds seconds.
#Description
Completed user logon policy processing for PrincipalSamName in PolicyElaspedTimeInSeconds seconds.
Message #
Fields #
| Name | Description |
|---|---|
PolicyElaspedTimeInSeconds UInt32 | — |
ErrorCode UInt32 | — |
PrincipalSamName UnicodeString | — |
IsMachine UInt32 | — |
IsConnectivityFailure Boolean | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-GroupPolicy",
"guid": "AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9",
"event_source_name": "",
"event_id": 8001,
"version": 1,
"level": 4,
"task": 0,
"opcode": 2,
"keywords": 4611686018427387904,
"time_created": "2023-11-05T22:32:22.302154+00:00",
"event_record_id": 506,
"correlation": {
"ActivityID": "DE67DFB7-B871-42E1-B68C-4175341DA657"
},
"execution": {
"process_id": 1132,
"thread_id": 3904
},
"channel": "Microsoft-Windows-GroupPolicy/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"PolicyElaspedTimeInSeconds": 0,
"ErrorCode": 0,
"PrincipalSamName": "WINDEV2310EVAL\\User",
"IsMachine": 0,
"IsConnectivityFailure": false
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 8002 — Completed policy processing due to network state change for computer PrincipalSamName in PolicyElaspedTimeInSeconds seconds.
Event ID 8003 — Completed policy processing due to network state change for user PrincipalSamName in PolicyElaspedTimeInSeconds seconds.
Event ID 8004 — Completed manual processing of policy for computer PrincipalSamName in PolicyElaspedTimeInSeconds seconds.
#Description
Completed manual processing of policy for computer PrincipalSamName in PolicyElaspedTimeInSeconds seconds.
Message #
Fields #
| Name | Description |
|---|---|
PolicyElaspedTimeInSeconds UInt32 | — |
ErrorCode UInt32 | — |
PrincipalSamName UnicodeString | — |
IsMachine UInt32 | — |
IsConnectivityFailure Boolean | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-GroupPolicy",
"guid": "AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9",
"event_source_name": "",
"event_id": 8004,
"version": 1,
"level": 4,
"task": 0,
"opcode": 2,
"keywords": 4611686018427387904,
"time_created": "2023-11-05T23:49:58.061228+00:00",
"event_record_id": 1167,
"correlation": {
"ActivityID": "AA63BEC0-3996-4133-A97D-DB5DB9617FF3"
},
"execution": {
"process_id": 8540,
"thread_id": 9876
},
"channel": "Microsoft-Windows-GroupPolicy/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"PolicyElaspedTimeInSeconds": 0,
"ErrorCode": 0,
"PrincipalSamName": "WORKGROUP\\WINDEV2310EVAL$",
"IsMachine": 1,
"IsConnectivityFailure": false
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 8005 — Completed manual processing of policy for user PrincipalSamName in PolicyElaspedTimeInSeconds seconds.
#Description
Completed manual processing of policy for user PrincipalSamName in PolicyElaspedTimeInSeconds seconds.
Message #
Fields #
| Name | Description |
|---|---|
PolicyElaspedTimeInSeconds UInt32 | — |
ErrorCode UInt32 | — |
PrincipalSamName UnicodeString | — |
IsMachine UInt32 | — |
IsConnectivityFailure Boolean | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-GroupPolicy",
"guid": "AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9",
"event_source_name": "",
"event_id": 8005,
"version": 1,
"level": 4,
"task": 0,
"opcode": 2,
"keywords": 4611686018427387904,
"time_created": "2022-04-07T17:34:38.174229+00:00",
"event_record_id": 864,
"correlation": {
"ActivityID": "DCA9073D-A053-4D86-A71A-A22443FB751F"
},
"execution": {
"process_id": 1352,
"thread_id": 1684
},
"channel": "Microsoft-Windows-GroupPolicy/Operational",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"PolicyElaspedTimeInSeconds": 0,
"ErrorCode": 0,
"PrincipalSamName": "SIGMA\\Administrator",
"IsMachine": 0,
"IsConnectivityFailure": false
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 8006 — Completed periodic policy processing for computer PrincipalSamName in PolicyElaspedTimeInSeconds seconds.
#Description
Completed periodic policy processing for computer PrincipalSamName in PolicyElaspedTimeInSeconds seconds.
Message #
Fields #
| Name | Description |
|---|---|
PolicyElaspedTimeInSeconds UInt32 | — |
ErrorCode UInt32 | — |
PrincipalSamName UnicodeString | — |
IsMachine UInt32 | — |
IsConnectivityFailure Boolean | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-GroupPolicy",
"guid": "AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9",
"event_source_name": "",
"event_id": 8006,
"version": 1,
"level": 4,
"task": 0,
"opcode": 2,
"keywords": 4611686018427387904,
"time_created": "2022-04-07T17:39:37.570483+00:00",
"event_record_id": 897,
"correlation": {
"ActivityID": "2CF6CF52-0A34-47C3-987B-53FCBD5B6234"
},
"execution": {
"process_id": 1352,
"thread_id": 4040
},
"channel": "Microsoft-Windows-GroupPolicy/Operational",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"PolicyElaspedTimeInSeconds": 0,
"ErrorCode": 0,
"PrincipalSamName": "SIGMA\\WIN-FPV0DSIC9O6$",
"IsMachine": 1,
"IsConnectivityFailure": false
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 8007 — Completed periodic policy processing for user PrincipalSamName in PolicyElaspedTimeInSeconds seconds.
Description
Completed periodic policy processing for user PrincipalSamName in PolicyElaspedTimeInSeconds seconds.
Message #
Fields #
| Name | Description |
|---|---|
PolicyElaspedTimeInSeconds UInt32 | — |
ErrorCode UInt32 | — |
PrincipalSamName UnicodeString | — |
IsMachine UInt32 | — |
IsConnectivityFailure Boolean | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-GroupPolicy",
"guid": "AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9",
"event_source_name": "",
"event_id": 8007,
"version": 1,
"level": 4,
"task": 0,
"opcode": 2,
"keywords": 4611686018427387904,
"time_created": "2026-03-14T01:40:41.669270+00:00",
"event_record_id": 179708,
"correlation": {
"ActivityID": "261F3C8C-5577-42F1-99D9-89D7A88E5B00"
},
"execution": {
"process_id": 1112,
"thread_id": 6604
},
"channel": "Microsoft-Windows-GroupPolicy/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"PolicyElaspedTimeInSeconds": 0,
"ErrorCode": 0,
"PrincipalSamName": "ludus\\domainadmin",
"IsMachine": 0,
"IsConnectivityFailure": false
},
"message": ""
}
Event ID 8016 — CSEExtensionName Extension (CSEExtensionId) requests a sync mode process.
Event ID 9001 — This machine is configured to retrieve Group Policy files from a file share in an insecure way.
Description
This machine is configured to retrieve Group Policy files from a file share in an insecure way.
Message #
Fields #
| Name | Description |
|---|---|
UNC_Path UnicodeString | UNC Path. Contains logon scripts and/or files that control system security policies. |
Mutual_Authentication_Enforced Boolean | — |
Integrity_Enforced Boolean | — |
UncPath UnicodeString | — |
MutualAuthenticationEnforced Boolean | — |
IntegrityEnforced Boolean | — |