Microsoft-Windows-GroupPolicy

Description

The processing of Group Policy failed because of a system allocation failure. Please ensure the computer is not running low on resources (memory, available disk space). Group Policy processing will be attempted at the next refresh cycle.

Message #

The processing of Group Policy failed because of a system allocation failure. Please ensure the computer is not running low on resources (memory, available disk space). Group Policy processing will be attempted at the next refresh cycle.

Fields #

Description

The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed). Look in the details tab for error code and description.

Message #

The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed). Look in the details tab for error code and description.

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-GroupPolicy",
    "guid": "AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9",
    "event_source_name": "",
    "event_id": 1006,
    "version": 0,
    "level": 2,
    "task": 0,
    "opcode": 1,
    "keywords": 9223372036854775808,
    "time_created": "2026-02-18T05:29:01.333607+00:00",
    "event_record_id": 1666,
    "correlation": {
      "ActivityID": "29E96F9C-8911-49C3-99BC-065B1FD48E8E"
    },
    "execution": {
      "process_id": 3396,
      "thread_id": 2868
    },
    "channel": "System",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "SupportInfo1": 1,
    "SupportInfo2": 6168,
    "ProcessingMode": 0,
    "ProcessingTimeInMilliseconds": 156,
    "ErrorCode": 82,
    "ErrorDescription": "Local Error",
    "DCName": ""
  },
  "message": ""
}

Description

The processing of Group Policy failed. Windows could not determine the site associated for this computer, which is required for Group Policy processing.

Message #

The processing of Group Policy failed. Windows could not determine the site associated for this computer, which is required for Group Policy processing.

Fields #

Description

The processing of Group Policy failed. Windows attempted to retrieve new Group Policy settings for this user or computer. Look in the details tab for error code and description. Windows will automatically retry this operation at the next refresh cycle. Computers joined to the domain must have proper name resolution and network connectivity to a domain controller for discovery of new Group Policy objects and settings. An event will be logged when Group Policy is successful.

Message #

The processing of Group Policy failed. Windows attempted to retrieve new Group Policy settings for this user or computer. Look in the details tab for error code and description. Windows will automatically retry this operation at the next refresh cycle. Computers joined to the domain must have proper name resolution and network connectivity to a domain controller for discovery of new Group Policy objects and settings. An event will be logged when Group Policy is successful.

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-GroupPolicy",
    "guid": "AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9",
    "event_source_name": "",
    "event_id": 1030,
    "version": 0,
    "level": 2,
    "task": 0,
    "opcode": 1,
    "keywords": 9223372036854775808,
    "time_created": "2026-02-12T18:17:33.749779+00:00",
    "event_record_id": 1267,
    "correlation": {
      "ActivityID": "B725C8D9-F151-4EBC-ADFE-2827DEDA46D8"
    },
    "execution": {
      "process_id": 4092,
      "thread_id": 12968
    },
    "channel": "System",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-21-1006758700-2167138679-1475694448-1104"
    }
  },
  "event_data": {
    "SupportInfo1": 1,
    "SupportInfo2": 3018,
    "ProcessingMode": 0,
    "ProcessingTimeInMilliseconds": 31,
    "ErrorCode": 8341,
    "ErrorDescription": "A directory service error has occurred. ",
    "DCName": "\\\\LAB-DC01.ludus.domain"
  },
  "message": ""
}

Description

The processing of Group Policy failed. Windows could not determine the role of this computer. Role information (Workgroup, Member Server, or Domain Controller) is required to process Group Policy.

Message #

The processing of Group Policy failed. Windows could not determine the role of this computer. Role information (Workgroup, Member Server, or Domain Controller) is required to process Group Policy.

Fields #

Description

The processing of Group Policy failed. Windows could not resolve the user name. This could be caused by one of more of the following.

Message #

The processing of Group Policy failed. Windows could not resolve the user name. This could be caused by one of more of the following: 
a) Name Resolution failure on the current domain controller. 
b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).

Fields #

Description

The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.

Message #

The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-GroupPolicy",
    "event_id": 1054,
    "level": 2,
    "task": 0,
    "opcode": 1,
    "time_created": "2026-04-28T02:27:58.4398646+00:00",
    "computer": "DESKTOP-FF3N5XK.ludus.domain",
    "channel": "System"
  },
  "event_data": {
    "ErrorDescription": "The specified domain either does not exist or could not be contacted. ",
    "ProcessingTimeInMilliseconds": "23063",
    "SupportInfo1": "1",
    "ErrorCode": "1355",
    "SupportInfo2": "3051",
    "ProcessingMode": "0"
  }
}

Description

The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following.

Message #

The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following: 
a) Name Resolution failure on the current domain controller. 
b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-GroupPolicy",
    "guid": "{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}",
    "event_source_name": "",
    "event_id": 1055,
    "version": 0,
    "level": 2,
    "task": 0,
    "opcode": 1,
    "keywords": -9223372036854775808,
    "time_created": "2026-04-16T03:50:58.0913473+00:00",
    "event_record_id": 5355,
    "correlation": {
      "ActivityID": "{A59FF81D-34E6-4364-A733-8CF28EBB6D64}"
    },
    "execution": {
      "process_id": 11488,
      "thread_id": 13396
    },
    "channel": "System",
    "computer": "JD-WIN11-22H2-1.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "SupportInfo1": "1",
    "SupportInfo2": "2616",
    "ProcessingMode": "0",
    "ProcessingTimeInMilliseconds": "1844",
    "ErrorCode": "1398",
    "ErrorDescription": "There is a time and/or date difference between the client and server. "
  },
  "message": "The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following: \r\na) Name Resolution failure on the current domain controller. \r\nb) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller)."
}

Description

The processing of Group Policy failed. Windows attempted to read the file FilePath from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following: a) Name Resolution/Network Connectivity to the current domain controller. b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller). c) The Distributed File System (DFS) client has been disabled.

Message #

The processing of Group Policy failed. Windows attempted to read the file %9 from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following: 
a) Name Resolution/Network Connectivity to the current domain controller. 
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller). 
c) The Distributed File System (DFS) client has been disabled.

Fields #

Description

The processing of Group Policy failed. Windows could not evaluate the Windows Management Instrumentation (WMI) filter for the Group Policy object GPOCNName. This could be caused by RSOP being disabled or Windows Management Instrumentation (WMI) service being disabled, stopped, or other WMI errors. Make sure the WMI service is started and the startup type is set to automatic. New Group Policy objects or settings will not process until this event has been resolved.

Message #

The processing of Group Policy failed. Windows could not evaluate the Windows Management Instrumentation (WMI) filter for the Group Policy object %8. This could be caused by RSOP being disabled  or Windows Management Instrumentation (WMI) service being disabled, stopped, or other WMI errors. Make sure the WMI service is started and the startup type is set to automatic. New Group Policy objects or settings will not process until this event has been resolved.

Fields #

Description

The processing of Group Policy was interrupted. Windows prematurely ended the discovery and enforcement of Group Policy settings because the computer was requested to shutdown or the user logged off. Group Policy processing will be attempted next refresh cycle, on the next computer reboot, or the next user logon.

Message #

The processing of Group Policy was interrupted. Windows prematurely ended the discovery and enforcement of Group Policy settings because the computer was requested to shutdown or the user logged off. Group Policy processing will be attempted next refresh cycle, on the next computer reboot, or the next user logon.

Fields #

Description

The processing of Group Policy failed. Windows could not obtain the list of Group Policy objects applicable for this computer or user. View the event details for more information.

Message #

The processing of Group Policy failed. Windows could not obtain the list of Group Policy objects applicable for this computer or user. View the event details for more information.

Fields #

Description

The processing of Group Policy failed. Windows could not search the Active Directory organization unit hierarchy. View the event details for more information.

Message #

The processing of Group Policy failed. Windows could not search the Active Directory organization unit hierarchy. View the event details for more information.

Fields #

Description

Windows failed to apply the ExtensionName settings. ExtensionName settings might have its own log file. Please click on the "More information" link.

Message #

Windows failed to apply the %8 settings. %8 settings might have its own log file. Please click on the "More information" link.

Fields #

References #

• Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd392562(v=ws.10)

Description

The processing of Group Policy failed. Windows attempted to query the list of Group Policy objects and exceeded the maximum limit (999).

Message #

The processing of Group Policy failed. Windows attempted to query the list of Group Policy objects and exceeded the maximum limit (999).

Fields #

Description

Windows failed to record Resultant Set of Policy (RSoP) information, which describes the scope of Group Policy objects applied to the computer or user. This could be caused by RSOP being disabled or Windows Management Instrumentation (WMI) service being disabled, stopped, or other WMI errors. Group Policy settings successfully applied to the computer or user; however, management tools may not report accurately.

Message #

Windows failed to record Resultant Set of Policy (RSoP) information, which describes the scope of Group Policy objects applied to the computer or user. This could be caused by RSOP being disabled or Windows Management Instrumentation (WMI) service being disabled, stopped, or other WMI errors. Group Policy settings successfully applied to the computer or user; however, management tools may not report accurately.

Fields #

Description

Windows failed to record Resultant Set of Policy (RSoP) information, which describes the scope of Group Policy objects applied to the computer or user. This could be caused by Windows Management Instrumentation (WMI) service being disabled, stopped, or other WMI errors. Group Policy settings successfully applied to the computer or user; however, management tools may not report accurately.

Message #

Windows failed to record Resultant Set of Policy (RSoP) information, which describes the scope of Group Policy objects applied to the computer or user. This could be caused by Windows Management Instrumentation (WMI) service being disabled, stopped, or other WMI errors. Group Policy settings successfully applied to the computer or user; however, management tools may not report accurately.

Fields #

Description

Windows could not record the Resultant Set of Policy (RSoP) information for the Group Policy extension <ExtensionName>. Group Policy settings successfully applied to the computer or user; however, management tools may not report accurately.

Message #

Windows could not record  the Resultant Set of Policy (RSoP) information for the Group Policy extension <%8>. Group Policy settings successfully applied to the computer or user; however, management tools may not report accurately.

Fields #

Description

Windows encountered an error while recording Resultant Set of Policy (RSoP) information, which describes the scope of Group Policy objects applied to the computer or user. Group Policy settings successfully applied to the computer or user; however, management tools may not report accurately.

Message #

Windows encountered an error while recording Resultant Set of Policy (RSoP) information, which describes the scope of Group Policy objects applied to the computer or user. Group Policy settings successfully applied to the computer or user; however, management tools may not report accurately.

Fields #

Description

The processing of Group Policy failed. Windows could not apply the registry-based policy settings for the Group Policy object GPOCNName. Group Policy settings will not be resolved until this event is resolved. View the event details for more information on the file name and path that caused the failure.

Message #

The processing of Group Policy failed. Windows could not apply the registry-based policy settings for the Group Policy object %8. Group Policy settings will not be resolved until this event is resolved. View the event details for more information on the file name and path that caused the failure.

Fields #

Description

The processing of Group Policy failed. Windows could not determine the computer account to enforce Group Policy settings. This may be transient. Group Policy settings, including computer configuration, will not be enforced for this computer.

Message #

The processing of Group Policy failed. Windows could not determine the computer account to enforce Group Policy settings. This may be transient. Group Policy settings, including computer configuration, will not be enforced for this computer.

Fields #

Description

The processing of Group Policy failed. Windows could not locate the directory object DSObjectName. Group Policy settings will not be enforced until this event is resolved. View the event details for more information on this error.

Message #

The processing of Group Policy failed. Windows could not locate the directory object %8. Group Policy settings will not be enforced until this event is resolved. View the event details for more information on this error.

Fields #

Description

Windows was unable to read the Windows Management Instrumentation (WMI) filter information associated with the Group Policy object GPOCNName.This may be caused by a deleted WMI Filter defined in the domain that is still in use by Group Policy objects. Group Policy settings for this Group Policy object will not be enforced. Other Group Policy objects may still apply. Windows will attempt to retrieve this information at the next policy cycle. This specific problem may be resolved by identifying all GPOs that reference the WMI filter and removing the references. Contact an administrator if this event recurs for several hours.

Message #

Windows was unable to read the Windows Management Instrumentation (WMI) filter information associated with the Group Policy object %8.This may be caused by a deleted WMI Filter defined in the domain that is still in use by Group Policy objects. Group Policy settings for this Group Policy object will not be enforced. Other Group Policy objects may still apply. Windows will attempt to retrieve this information at the next policy cycle. This specific problem may be resolved by identifying all GPOs that reference the WMI filter and removing the references. Contact an administrator if this event recurs for several hours.

Fields #

Description

The user account is in a different forest than the computer account. The processing of Group Policy from another forest is not allowed. Group Policy will be processed using Loopback Replace mode. The scope of the user policy settings will be determined by the location of the computer object in Active Directory. The settings will be acquired from the User Configuration of these policies.

Message #

The user account is in a different forest than the computer account. The processing of Group Policy from another forest is not allowed. Group Policy will be processed using Loopback Replace mode. The scope of the user policy settings will be determined by the location of the computer object in Active Directory. The settings will be acquired from the User Configuration of these policies.

Fields #

Description

The processing of Group Policy failed. Windows could not determine if the user and computer accounts are in the same forest. Ensure the user domain name matches the name of a trusted domain that resides in the same forest as the computer account.

Message #

The processing of Group Policy failed. Windows could not determine if the user and computer accounts are in the same forest. Ensure the user domain name matches the name of a trusted domain that resides in the same forest as the computer account.

Fields #

Description

The Group Policy Client Side Extension ExtensionName was unable to apply one or more settings because the changes must be processed before system startup or user logon. The system will wait for Group Policy processing to finish completely before the next startup or logon for this user, and this may result in slow startup and boot performance.

Message #

The Group Policy Client Side Extension %8 was unable to apply one or more settings because the changes must be processed before system startup or user logon. The system will wait for Group Policy processing to finish completely before the next startup or logon for this user, and this may result in slow startup and boot performance.

Fields #

Description

The processing of Group Policy failed because of an internal system error. Please see the Group Policy operational log for the specific error message. An attempt will be made to process Group Policy again at the next refresh cycle.

Message #

The processing of Group Policy failed because of an internal system error. Please see the Group Policy operational log for the specific error message. An attempt will be made to process Group Policy again at the next refresh cycle.

Fields #

References #

• Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc727321(v=ws.10)

Description

Windows was unable to determine whether new Group Policy settings defined by a network administrator should be enforced for this user or computer because this computer's clock is not synchronized with the clock of one of the domain controllers for the domain. Because of this issue, this computer system may not be in compliance with the network administrator’s requirements, and users of this system may not be able to use some functionality on the network. Windows will periodically attempt to retry this operation, and it is possible that either this system or the domain controller will correct the time settings without intervention by an administrator, so the problem will be corrected. If this issue persists for more than an hour, checking the local system's clock settings to ensure they are accurate and are synchronized with the clocks on the network's domain controllers is one way to resolve this problem. A network administrator may be required to resolve the issue if correcting the local time settings does not address the problem.

Message #

Windows was unable to determine whether new Group Policy settings defined by a network administrator should be enforced for this user or computer because this computer's clock is not synchronized with the clock of one of the domain controllers for the domain. Because of this issue, this computer system may not be in compliance with the network administrator?s requirements, and users of this system may not be able to use some functionality on the network. Windows will periodically attempt to retry this operation, and it is possible that either this system or the domain controller will correct the time settings without intervention by an administrator, so the problem will be corrected. 

If this issue persists for more than an hour, checking the local system's clock settings to ensure they are accurate and are synchronized with the clocks on the network's domain controllers is one way to resolve this problem. A network administrator may be required to resolve the issue if correcting the local time settings does not address the problem.

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-GroupPolicy",
    "guid": "AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9",
    "event_source_name": "",
    "event_id": 1126,
    "version": 0,
    "level": 2,
    "task": 0,
    "opcode": 1,
    "keywords": 9223372036854775808,
    "time_created": "2026-02-15T19:48:55.427011+00:00",
    "event_record_id": 1406,
    "correlation": {
      "ActivityID": "D02B1188-929A-4E97-B63D-48B93E963B5B"
    },
    "execution": {
      "process_id": 6076,
      "thread_id": 10716
    },
    "channel": "System",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "SupportInfo1": 5,
    "SupportInfo2": 347,
    "ProcessingMode": 0,
    "ProcessingTimeInMilliseconds": 47,
    "ErrorCode": 2148074276,
    "ErrorDescription": "The clocks on the client and server machines are skewed. ",
    "DCName": "\\\\LAB-DC01.ludus.domain"
  },
  "message": ""
}

Description

The processing of Group Policy failed due to an internal error. Please look into the Group Policy operational log for the specific error message. An attempt will be made to process Group Policy again at the next refresh cycle.

Message #

The processing of Group Policy failed due to an internal error. Please look into the Group Policy operational log for the specific error message. An attempt will be made to process Group Policy again at the next refresh cycle.

Fields #

Description

The Group Policy Client Side Extension ExtensionName may have caused the Group Policy Service to terminate unexpectedly. To prevent further failures in the Group Policy Service, this extension has been temporarily disabled until after the next system restart. Group Policy settings managed by this extension may no longer be enforced until the system is restarted. The vendor of this extension should be contacted if this issue recurs.

Message #

The Group Policy Client Side Extension %3 may have caused the Group Policy Service to terminate unexpectedly. To prevent further failures in the Group Policy Service, this extension has been temporarily disabled until after the next system restart. Group Policy settings managed by this extension may no longer be enforced until the system is restarted. The vendor of this extension should be contacted if this issue recurs.

Fields #

Description

The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has successfully processed. If you do not see a success message for several hours, then contact your administrator.

Message #

The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has successfully processed. If you do not see a success message for several hours, then contact your administrator.

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-GroupPolicy",
    "guid": "{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}",
    "event_source_name": "",
    "event_id": 1129,
    "version": 0,
    "level": 2,
    "task": 0,
    "opcode": 0,
    "keywords": -9223372036854775808,
    "time_created": "2026-05-16T11:45:42.9987787+00:00",
    "event_record_id": 1391,
    "correlation": {
      "ActivityID": "{1A907B63-A93F-4756-9C4B-CDD8832FF748}"
    },
    "execution": {
      "process_id": 1616,
      "thread_id": 6188
    },
    "channel": "System",
    "computer": "telemetry-W11-a.cell-a.ludus.domain",
    "security": {
      "user_id": "S-1-5-21-1006758700-2167138679-1475694448-1104"
    }
  },
  "event_data": {
    "SupportInfo1": "1",
    "SupportInfo2": "2266",
    "ProcessingMode": "2",
    "ProcessingTimeInMilliseconds": "16",
    "ErrorCode": "1222",
    "ErrorDescription": "The network is not present or not started. "
  },
  "message": "The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has successfully processed. If you do not see a success message for several hours, then contact your administrator."
}

References #

• Microsoft Learn https://learn.microsoft.com/en-us/troubleshoot/windows-server/group-policy/netlogon-event-id-5719-or-group-policy-event-1129

Description

ScriptType failed. GPO Name : GPODisplayName GPO File System Path : GPOFileSystemPath Script Name: GPOScriptCommandString

Message #

%5 failed. 
	GPO Name : %6
	GPO File System Path : %7
	Script Name: %8

Fields #

Description

The Group Policy settings for the computer were processed successfully. There were no changes detected since the last successful processing of Group Policy.

Message #

The Group Policy settings for the computer were processed successfully. There were no changes detected since the last successful processing of Group Policy.

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-GroupPolicy",
    "guid": "{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}",
    "event_source_name": "",
    "event_id": 1500,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 1,
    "keywords": -9223372036854775808,
    "time_created": "2026-06-13T14:33:21.4898521+00:00",
    "event_record_id": 4565,
    "correlation": {
      "ActivityID": "{4CB8FB96-1506-4D59-85DF-9B915C7A0B40}"
    },
    "execution": {
      "process_id": 1736,
      "thread_id": 6400
    },
    "channel": "System",
    "computer": "telemetry-DC-d.cell-d.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "SupportInfo1": "1",
    "SupportInfo2": "4214",
    "ProcessingMode": "0",
    "ProcessingTimeInMilliseconds": "156",
    "DCName": "\\\\telemetry-DC-d.cell-d.ludus.domain"
  },
  "message": "The Group Policy settings for the computer were processed successfully. There were no changes detected since the last successful processing of Group Policy."
}

Description

The Group Policy settings for the user were processed successfully. There were no changes detected since the last successful processing of Group Policy.

Message #

The Group Policy settings for the user were processed successfully. There were no changes detected since the last successful processing of Group Policy.

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-GroupPolicy",
    "guid": "{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}",
    "event_source_name": "",
    "event_id": 1501,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 1,
    "keywords": -9223372036854775808,
    "time_created": "2026-05-28T11:12:52.8111344+00:00",
    "event_record_id": 1856,
    "correlation": {
      "ActivityID": "{8301D29C-202F-48E8-BD0C-278810E5742D}"
    },
    "execution": {
      "process_id": 1376,
      "thread_id": 948
    },
    "channel": "System",
    "computer": "telemetry-DC-d.cell-d.ludus.domain",
    "security": {
      "user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
    }
  },
  "event_data": {
    "SupportInfo1": "1",
    "SupportInfo2": "4214",
    "ProcessingMode": "1",
    "ProcessingTimeInMilliseconds": "1672",
    "DCName": "\\\\telemetry-DC-d.cell-d.ludus.domain"
  },
  "message": "The Group Policy settings for the user were processed successfully. There were no changes detected since the last successful processing of Group Policy."
}

Description

The Group Policy settings for the computer were processed successfully. New settings from NumberOfGroupPolicyObjects Group Policy objects were detected and applied.

Message #

The Group Policy settings for the computer were processed successfully. New settings from %6 Group Policy objects were detected and applied.

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-GroupPolicy",
    "guid": "{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}",
    "event_source_name": "",
    "event_id": 1502,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 1,
    "keywords": -9223372036854775808,
    "time_created": "2026-05-29T06:21:48.6031327+00:00",
    "event_record_id": 6403,
    "correlation": {
      "ActivityID": "{77469AD0-7D18-41C0-B45D-4A830B44DB6F}"
    },
    "execution": {
      "process_id": 1872,
      "thread_id": 5536
    },
    "channel": "System",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "SupportInfo1": "1",
    "SupportInfo2": "4195",
    "ProcessingMode": "0",
    "ProcessingTimeInMilliseconds": "954",
    "DCName": "\\\\telemetry-DC-a.cell-a.ludus.domain",
    "NumberOfGroupPolicyObjects": "2"
  },
  "message": "The Group Policy settings for the computer were processed successfully. New settings from 2 Group Policy objects were detected and applied."
}

References #

• Windows Forensic Artifacts https://github.com/Psmths/windows-forensic-artifacts/blob/main/group-policy/evtx-1502-computer-gpo-success.md

Description

The Group Policy settings for the user were processed successfully. New settings from NumberOfGroupPolicyObjects Group Policy objects were detected and applied.

Message #

The Group Policy settings for the user were processed successfully. New settings from %6 Group Policy objects were detected and applied.

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-GroupPolicy",
    "guid": "AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9",
    "event_source_name": "",
    "event_id": 1503,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 1,
    "keywords": 9223372036854775808,
    "time_created": "2022-04-07T17:34:38.149825+00:00",
    "event_record_id": 1319,
    "correlation": {
      "ActivityID": "DCA9073D-A053-4D86-A71A-A22443FB751F"
    },
    "execution": {
      "process_id": 1352,
      "thread_id": 1684
    },
    "channel": "System",
    "computer": "WIN-FPV0DSIC9O6.lab.local",
    "security": {
      "user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
    }
  },
  "event_data": {
    "SupportInfo1": 1,
    "SupportInfo2": 4195,
    "ProcessingMode": 0,
    "ProcessingTimeInMilliseconds": 671,
    "DCName": "\\\\WIN-FPV0DSIC9O6.lab.local",
    "NumberOfGroupPolicyObjects": 1
  },
  "message": ""
}

References #

• Example event sourced from https://github.com/NextronSystems/evtx-baseline
• Windows Forensic Artifacts https://github.com/Psmths/windows-forensic-artifacts/blob/main/group-policy/evtx-1503-user-gpo-success.md

Description

Starting computer boot policy processing for PrincipalSamName.

Message #

Starting computer boot policy processing for %2. 
Activity id: %1

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-GroupPolicy",
    "guid": "{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}",
    "event_source_name": "",
    "event_id": 4000,
    "version": 1,
    "level": 4,
    "task": 0,
    "opcode": 1,
    "keywords": 4611686018427387904,
    "time_created": "2026-06-13T05:23:58.0801723+00:00",
    "event_record_id": 31550,
    "correlation": {
      "ActivityID": "{A841B46F-F932-4765-A57F-C992AEC87CA4}"
    },
    "execution": {
      "process_id": 1980,
      "thread_id": 2792
    },
    "channel": "Microsoft-Windows-GroupPolicy/Operational",
    "computer": "telemetry-DC-c.cell-c.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "PolicyActivityId": "{a841b46f-f932-4765-a57f-c992aec87ca4}",
    "PrincipalSamName": "cell-c\\TELEMETRY-DC-C$",
    "IsMachine": "1",
    "IsDomainJoined": "true",
    "IsBackgroundProcessing": "false",
    "IsAsyncProcessing": "false",
    "IsServiceRestart": "false",
    "ReasonForSyncProcessing": "5"
  },
  "message": "Starting computer boot policy processing for cell-c\\TELEMETRY-DC-C$. \r\nActivity id: {a841b46f-f932-4765-a57f-c992aec87ca4}"
}

References #

• Windows Forensic Artifacts https://github.com/Psmths/windows-forensic-artifacts/blob/main/group-policy/evtx-4000-computer-boot-gpo-processing-start.md

Description

Starting user logon Policy processing for PrincipalSamName.

Message #

Starting user logon Policy processing for %2. 
Activity id: %1

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-GroupPolicy",
    "guid": "{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}",
    "event_source_name": "",
    "event_id": 4001,
    "version": 1,
    "level": 4,
    "task": 0,
    "opcode": 1,
    "keywords": 4611686018427387904,
    "time_created": "2026-06-13T05:23:59.5469576+00:00",
    "event_record_id": 31589,
    "correlation": {
      "ActivityID": "{DC96B6CB-CED9-4463-8C28-581ADFFD8E96}"
    },
    "execution": {
      "process_id": 1980,
      "thread_id": 2780
    },
    "channel": "Microsoft-Windows-GroupPolicy/Operational",
    "computer": "telemetry-DC-c.cell-c.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "PolicyActivityId": "{dc96b6cb-ced9-4463-8c28-581adffd8e96}",
    "PrincipalSamName": "cell-c\\domainadmin",
    "IsMachine": "0",
    "IsDomainJoined": "true",
    "IsBackgroundProcessing": "false",
    "IsAsyncProcessing": "false",
    "IsServiceRestart": "false",
    "ReasonForSyncProcessing": "5"
  },
  "message": "Starting user logon Policy processing for cell-c\\domainadmin. \r\nActivity id: {dc96b6cb-ced9-4463-8c28-581adffd8e96}"
}

References #

• Windows Forensic Artifacts https://github.com/Psmths/windows-forensic-artifacts/blob/main/group-policy/evtx-4001-user-logon-gpo-processing-start.md

Description

Starting policy processing due to network state change for computer PolicyActivityId.

Message #

Starting policy processing due to network state change for computer %2. 
Activity id: %1

Fields #

Description

Starting policy processing due to network state change for user PolicyActivityId.

Message #

Starting policy processing due to network state change for user %2. 
Activity id: %1

Fields #

Description

Starting manual processing of policy for computer PrincipalSamName.

Message #

Starting manual processing of policy for computer %2. 
Activity id: %1

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-GroupPolicy",
    "guid": "{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}",
    "event_source_name": "",
    "event_id": 4004,
    "version": 1,
    "level": 4,
    "task": 0,
    "opcode": 1,
    "keywords": 4611686018427387904,
    "time_created": "2026-05-29T06:52:27.2496306+00:00",
    "event_record_id": 29388,
    "correlation": {
      "ActivityID": "{84ECAB31-F9E8-4B4F-A2FD-465D7AC5C011}"
    },
    "execution": {
      "process_id": 1864,
      "thread_id": 5828
    },
    "channel": "Microsoft-Windows-GroupPolicy/Operational",
    "computer": "telemetry-DC-c.cell-c.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "PolicyActivityId": "{84ecab31-f9e8-4b4f-a2fd-465d7ac5c011}",
    "PrincipalSamName": "cell-c\\TELEMETRY-DC-C$",
    "IsMachine": "1",
    "IsDomainJoined": "true",
    "IsBackgroundProcessing": "true",
    "IsAsyncProcessing": "false",
    "IsServiceRestart": "false",
    "ReasonForSyncProcessing": "0"
  },
  "message": "Starting manual processing of policy for computer cell-c\\TELEMETRY-DC-C$. \r\nActivity id: {84ecab31-f9e8-4b4f-a2fd-465d7ac5c011}"
}

References #

• Windows Forensic Artifacts https://github.com/Psmths/windows-forensic-artifacts/blob/main/group-policy/evtx-4004-computer-manual-gpo-processing-start.md

Description

Starting manual processing of policy for user PrincipalSamName.

Message #

Starting manual processing of policy for user %2. 
Activity id: %1

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-GroupPolicy",
    "guid": "{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}",
    "event_source_name": "",
    "event_id": 4005,
    "version": 1,
    "level": 4,
    "task": 0,
    "opcode": 1,
    "keywords": 4611686018427387904,
    "time_created": "2026-06-13T14:56:40.7919982+00:00",
    "event_record_id": 18255,
    "correlation": {
      "ActivityID": "{805A095A-2906-4A2D-AFAE-826D5D69CA6F}"
    },
    "execution": {
      "process_id": 1904,
      "thread_id": 552
    },
    "channel": "Microsoft-Windows-GroupPolicy/Operational",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "PolicyActivityId": "{805a095a-2906-4a2d-afae-826d5d69ca6f}",
    "PrincipalSamName": "cell-a\\domainadmin",
    "IsMachine": "0",
    "IsDomainJoined": "true",
    "IsBackgroundProcessing": "true",
    "IsAsyncProcessing": "false",
    "IsServiceRestart": "false",
    "ReasonForSyncProcessing": "0"
  },
  "message": "Starting manual processing of policy for user cell-a\\domainadmin. \r\nActivity id: {805a095a-2906-4a2d-afae-826d5d69ca6f}"
}

References #

• Windows Forensic Artifacts https://github.com/Psmths/windows-forensic-artifacts/blob/main/group-policy/evtx-4005-user-manual-gpo-processing-start.md

Description

Starting periodic policy processing for computer PrincipalSamName.

Message #

Starting periodic policy processing for computer %2. 
Activity id: %1

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-GroupPolicy",
    "guid": "{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}",
    "event_source_name": "",
    "event_id": 4006,
    "version": 1,
    "level": 4,
    "task": 0,
    "opcode": 1,
    "keywords": 4611686018427387904,
    "time_created": "2026-06-13T14:09:17.1640288+00:00",
    "event_record_id": 34982,
    "correlation": {
      "ActivityID": "{DBCFE2FB-1977-4351-9D05-5BF8388C112E}"
    },
    "execution": {
      "process_id": 1980,
      "thread_id": 1816
    },
    "channel": "Microsoft-Windows-GroupPolicy/Operational",
    "computer": "telemetry-DC-c.cell-c.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "PolicyActivityId": "{dbcfe2fb-1977-4351-9d05-5bf8388c112e}",
    "PrincipalSamName": "cell-c\\TELEMETRY-DC-C$",
    "IsMachine": "1",
    "IsDomainJoined": "true",
    "IsBackgroundProcessing": "true",
    "IsAsyncProcessing": "false",
    "IsServiceRestart": "false",
    "ReasonForSyncProcessing": "0"
  },
  "message": "Starting periodic policy processing for computer cell-c\\TELEMETRY-DC-C$. \r\nActivity id: {dbcfe2fb-1977-4351-9d05-5bf8388c112e}"
}

Description

Starting periodic policy processing for user PrincipalSamName.

Message #

Starting periodic policy processing for user %2. 
Activity id: %1

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-GroupPolicy",
    "guid": "AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9",
    "event_source_name": "",
    "event_id": 4007,
    "version": 1,
    "level": 4,
    "task": 0,
    "opcode": 1,
    "keywords": 4611686018427387904,
    "time_created": "2026-03-14T01:40:41.526525+00:00",
    "event_record_id": 179683,
    "correlation": {
      "ActivityID": "261F3C8C-5577-42F1-99D9-89D7A88E5B00"
    },
    "execution": {
      "process_id": 1112,
      "thread_id": 6604
    },
    "channel": "Microsoft-Windows-GroupPolicy/Operational",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "PolicyActivityId": "261F3C8C-5577-42F1-99D9-89D7A88E5B00",
    "PrincipalSamName": "ludus\\domainadmin",
    "IsMachine": 0,
    "IsDomainJoined": true,
    "IsBackgroundProcessing": true,
    "IsAsyncProcessing": false,
    "IsServiceRestart": false,
    "ReasonForSyncProcessing": 0
  },
  "message": ""
}

Description

Starting CSEExtensionName Extension Processing.

Message #

Starting %2 Extension Processing. 

List of applicable Group Policy objects: (%5)

%6

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-GroupPolicy",
    "guid": "{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}",
    "event_source_name": "",
    "event_id": 4016,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 1,
    "keywords": 4611686018427387904,
    "time_created": "2026-06-13T13:39:15.5855300+00:00",
    "event_record_id": 34796,
    "correlation": {
      "ActivityID": "{C2EE9D80-D0BC-4B89-9A29-4D244941B824}"
    },
    "execution": {
      "process_id": 1980,
      "thread_id": 1816
    },
    "channel": "Microsoft-Windows-GroupPolicy/Operational",
    "computer": "telemetry-DC-c.cell-c.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "CSEExtensionId": "{827d319e-6eac-11d2-a4ea-00c04f79f83a}",
    "CSEExtensionName": "Security",
    "IsExtensionAsyncProcessing": "true",
    "IsGPOListChanged": "true",
    "GPOListStatusString": "%%4102",
    "DescriptionString": "Default Domain Policy\nDefault Domain Controllers Policy\n",
    "ApplicableGPOList": "<GPO ID=\"{31B2F340-016D-11D2-945F-00C04FB984F9}\"><Name>Default Domain Policy</Name></GPO><GPO ID=\"{6AC1786C-016F-11D2-945F-00C04fB984F9}\"><Name>Default Domain Controllers Policy</Name></GPO>"
  },
  "message": "Starting Security Extension Processing. \r\n\r\nList of applicable Group Policy objects: (Changes were detected.)\r\n\r\nDefault Domain Policy\nDefault Domain Controllers Policy\n"
}

Description

OperationDescription Parameter

Message #

%1 
%2

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-GroupPolicy",
    "guid": "{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}",
    "event_source_name": "",
    "event_id": 4017,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 4611686018427387904,
    "time_created": "2026-06-13T14:09:17.3157615+00:00",
    "event_record_id": 35002,
    "correlation": {
      "ActivityID": "{DBCFE2FB-1977-4351-9D05-5BF8388C112E}"
    },
    "execution": {
      "process_id": 1980,
      "thread_id": 1816
    },
    "channel": "Microsoft-Windows-GroupPolicy/Operational",
    "computer": "telemetry-DC-c.cell-c.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "OperationDescription": "%%4131",
    "Parameter": "\\\\cell-c.ludus.domain\\sysvol\\cell-c.ludus.domain\\Policies\\{6AC1786C-016F-11D2-945F-00C04fB984F9}\\gpt.ini"
  },
  "message": "Making system calls to access specified file. \r\n\\\\cell-c.ludus.domain\\sysvol\\cell-c.ludus.domain\\Policies\\{6AC1786C-016F-11D2-945F-00C04fB984F9}\\gpt.ini"
}

Description

Starting ScriptType for PrincipalSamName.

Message #

Starting %2 for %1.

Fields #

Description

Running script name ScriptName.

Message #

Running script name %1.

Fields #

Description

Group Policy Service started.

Message #

Group Policy Service started.

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-GroupPolicy",
    "guid": "{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}",
    "event_source_name": "",
    "event_id": 4115,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 4611686018427387904,
    "time_created": "2026-06-13T05:22:56.1841189+00:00",
    "event_record_id": 31538,
    "correlation": {},
    "execution": {
      "process_id": 1980,
      "thread_id": 1052
    },
    "channel": "Microsoft-Windows-GroupPolicy/Operational",
    "computer": "telemetry-DC-c.cell-c.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "IsServiceRestart": "false",
    "IsMachineBoot": "true"
  },
  "message": "Group Policy Service started."
}