Group Policy Application Health Test

The application event log may capture several different issues that make up a category of warnings collectively called "1202 events” – i.e., events with the event ID 1202. Events of this category are typically related to group policy propogation. The common error codes under this category are as follows:

  • Error code 0x5 – Access is denied: This issue occurs because of the locked-down security that was originally set on the FRS through Group Policy. When you attempt to configure the FRS through Group Policy, the policy engine no longer has the permission to set security on the FRS and does not attempt to take ownership of the FRS.
  • Error code 0xd – The data is invalid: This behavior occurs because three system environment variables (%SYSVOL%, %DSDIT%, and %DSLOG%) are referenced in the Basicdc.inf file, but exist only during the Dcpromo process. These error messages are generated each time the Default Domain Controllers policy is applied.
  • Error code 0x3e5 - Overlapped I/O operation is in progress: This problem can occur if a third-party, real-time backup product interferes with Active Directory operations.
  • Error code 0x534 - No mapping between account names and security IDs was done: A program was installed, which creates user accounts and assigns rights to those user accounts. Later, the program was removed, the user accounts deleted, but the rights from policy before the accounts were still there. A user account is added and rights assigned to the account. The account is deleted, but not from security policies. The "0x534" code is the hex for "1332". 
  • Error code 0x4b8 - An extended error occurred: A conflict in Group Policy can cause these events to occur. These error messages can occur if the "Rename Administrator Account" security policy is enabled and then set to an account name that is already in use. 

Using the Group Policy Application Health test, you can be instantly alerted if any of the aforesaid errors, which are categorized as ‘1202 events’, is captured by the application event log. Detailed diagnostics provided by the test will enable you to troubleshoot these errors. This way, issues in group policy application/propogation can be quickly captured and efficiently resolved. 

Target of the test : An Active Directory

Agent deploying the test : An internal agent

Outputs of the test : One set of results for every Active Directory site that is being monitored

Configurable parameters for the test
Parameters Description

Test period

This indicates how often should the test be executed.


The IP address of the machine where the Active Directory is installed.


The port number through which the Active Directory communicates. The default port number is 389.


Refers to the type of event logs to be monitored. By default, this is set to Application

Policy Based Filter

Using this page, administrators can configure the event sources, event IDs, and event descriptions to be monitored by this test. In order to enable administrators to easily and accurately provide this specification, this page provides the following options:

  • Manually specify the event sources, IDs, and descriptions in the Filter text area, or,
  • Select a specification from the predefined filter policies listed in the Filter box

For explicit, manual specification of the filter conditions, select the No option against the Policy Based Filter field. To choose from the list of pre-configured filter policies, or to create a new filter policy and then associate the same with the test, select the Yes option against the Policy Based Filter field. Since this test is pre-configured with a filter policy definition, this flag is set to Yes by default.


For this test, the Filter is set to all by default. The all filter policy is pre-configured to monitor all event descriptions with the event source SceCli and event ID 1202. Do not disturb this default setting.


The eG agent can either use WMI to extract event log statistics or directly parse the event logs using event log APIs. If the UseWMI flag is Yes, then WMI is used. If not, the event log APIs are used. This option is provided because on some Windows NT/2000 systems (especially ones with service pack 3 or lower), the use of WMI access to event logs can cause the CPU usage of the WinMgmt process to shoot up. On such systems, set the UseWMI parameter value to No. On the other hand, when monitoring systems that are operating on any other flavor of Windows (say, Windows 2003/XP/2008/7/Vista/12), the USEWMI flag should always be set to ‘Yes’.

DD Frequency

Refers to the frequency with which detailed diagnosis measures are to be generated for this test. The default is 1:1. This indicates that, by default, detailed measures will be generated every time this test runs, and also every time the test detects a problem. You can modify this frequency, if you so desire. Also, if you intend to disable the detailed diagnosis capability for this test, you can do so by specifying none against DD Frequency.

Detailed Diagnosis

To make diagnosis more efficient and accurate, the eG Enterprise suite embeds an optional detailed diagnostic capability. With this capability, the eG agents can be configured to run detailed, more elaborate tests as and when specific problems are detected. To enable the detailed diagnosis capability of this test for a particular server, choose the On option. To disable the capability, click on the Off option.

The option to selectively enable/disable the detailed diagnosis capability will be available only if the following conditions are fulfilled:

  • The eG manager license should allow the detailed diagnosis capability
  • Both the normal and abnormal frequencies configured for the detailed diagnosis measures should not be 0.
Measurements made by the test
Measurement Description Measurement Unit Interpretation


Indicates whether/not events with ID 1202 occurred.


This measure reports the value Bad if the application log captures an 1202 event. On the other hand, the value Good is reported if the 1202 error event is not captured but the application log.

The numeric values that correspond to these measure values are as follows:

Measure Value Numeric Value
Bad 0
Good 1


By default, the test reports the Measure Values listed in the table above to indicate the status of group policy application. In the graph of this measure however, the same is indicated using the numeric equivalents only.

The detailed diagnosis of this measure reports the complete details of the 1202 error events (if any) captured by the application log.