JSI Tip 7479. A tool to interpret the Group Policy client-side extension Security flags.

In tip 4511 How do I interpret USERENV 1000 Events, I explained how to interpret the Group Policy client-side extension Security flags.

Using tip 5842 How do I convert a decimal number to hexadecimal, I have scripted SceCliFlags.bat to interpret the Group Policy client-side extension Security flags for you.

The syntax for using SceCliFlags.bat is:

SceCliFlags DecimalFlagsValue

where DecimalFlagsValue is the nnnn value displayed as "flags (nnnn)" in the Description of the Event ID 1000 error.

Usage Examples:

1. If the Description is The Group Policy client-side extension Security was passed flags (17) and returned a failure status code of (1332):

SceCliFlags 17

which returns:

Apply machine policy rather than user policy.
Background refresh of policy (ok to do slow stuff).

2. If the Description contains flags (33):

SceCliFlags 33

which returns:

Apply machine policy rather than user policy.
Policy is being applied across a slow link.

3. If the Description contains flags (2048):

SceCliFlags 2048

which returns:

windows safe mode boot flag.

4. If the Description contains flags (4081):

SceCliFlags 4081

which returns:

Apply machine policy rather than user policy.
Background refresh of policy (ok to do slow stuff).
Policy is being applied across a slow link.
Verbose output to the eventlog.
No changes were detected to the Group Policy Objects.
A change in link speed was detected between previous policy application and current policy application.
A Change in Rsop Logging was detected between previous policy application and current policy application, (new intf only).
Forced Refresh is being applied. redo policies.
windows safe mode boot flag.

SceCliFlags.bat contains:

@echo offsetlocalif {%1}=={} goto syntaxset /a decflag=10000%1%%10000call Dec2Hex %decflag% Hex lenif %len% GTR 3 goto syntaxif %len% EQU 0 goto syntaxset mask=%hex%if %len% EQU 1 set mask=00%hex%if %len% EQU 2 set mask=0%hex%set tab=00000100012001030011401005010160110701118100091001A1010B1011C1100D1101E1110F1111XXXXXset byte=%mask:~0,1%call :bitsset out=%bitmask%set byte=%mask:~1,1%call :bitsset out=%out%%bitmask%set byte=%mask:~2,1%call :bitsset out=%out%%bitmask%set /a cnt=12:intloopset /a cnt=%cnt% - 1if %cnt% LSS 0 endlocal&goto :EOFcall set byte=%%out:~%cnt%^,1%%if "%byte%" EQU "1" goto disp%cnt%goto intloop:disp11@echo Apply machine policy rather than user policy.goto intloop:disp10@echo ???goto intloop:disp9@echo ???goto intloop:disp8@echo ???goto intloop:disp7@echo Background refresh of policy (ok to do slow stuff).goto intloop:disp6@echo Policy is being applied across a slow link.goto intloop:disp5@echo Verbose output to the eventlog.goto intloop:disp4@echo No changes were detected to the Group Policy Objects.goto intloop:disp3@echo A change in link speed was detected between previous policy application and current policy application.goto intloop:disp2@echo A Change in Rsop Logging was detected between previous policy application and current policy application, (new intf only).goto intloop:disp1@echo Forced Refresh is being applied. redo policies.goto intloop:disp0@echo windows safe mode boot flag.goto intloop:bitsset /a cnt=0:loopcall set work=%%tab:~%cnt%^,1%%if /i "%byte%" EQU "%work%" goto okset /a cnt=%cnt% + 5goto loop:okset /a cnt=%cnt% + 1call set bitmask=%%tab:~%cnt%^,4%%goto :EOF:syntax@echo Syntax: SceCliFlags nnnnendlocal