none
fall out of the gpo scope

    Question

  • hello ,there

    I have active directory domain all domain controllers are W2K3 with more than 800 active users and 200 windows vista business edition clients .

    a couple of months ago I re-formatted all of clients by using WDS and joining them to the domain everything works fine and clean until early days I noticed some of the clients will fall out of the group policy settings I defined on the domain controller for example I defined in one of the GPO objects to deny access to control panel but as I mentioned on some of them control panel is accessible .

    I did the following to fix those clients but it doesn't work   :

    disjoining them and joining back to the domain

    running gpupdate with force switch on affected clients

    also I checked the event log on the clients i found the following entries:

    Log Name:      System
    Source:        Microsoft-Windows-GroupPolicy
    Date:          12/23/2012 12:51:20 AM
    Event ID:      1006
    Task Category: None
    Level:         Error
    Keywords:     
    User:          SYSTEM
    Computer:      computernam.domainname.somthing
    Description:
    The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed). Look in the details tab for error code and description.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-GroupPolicy" Guid="{aea1b4fa-97d1-45f2-a64c-4d69fffd92c9}" />
        <EventID>1006</EventID>
        <Version>0</Version>
        <Level>2</Level>
        <Task>0</Task>
        <Opcode>1</Opcode>
        <Keywords>0x8000000000000000</Keywords>
        <TimeCreated SystemTime="2012-12-22T21:51:20.105806700Z" />
        <EventRecordID>36183</EventRecordID>
        <Correlation ActivityID="{2E94115E-29D8-4DA2-8402-2E1807DE51B7}" />
        <Execution ProcessID="1220" ThreadID="2884" />
        <Channel>System</Channel>
        <Computer>computer</Computer>
        <Security UserID="S-1-5-18" />
      </System>
      <EventData>
        <Data Name="SupportInfo1">1</Data>
        <Data Name="SupportInfo2">4934</Data>
        <Data Name="ProcessingMode">0</Data>
        <Data Name="ProcessingTimeInMilliseconds">4165</Data>
        <Data Name="ErrorCode">49</Data>
        <Data Name="ErrorDescription">Invalid Credentials</Data>
        <Data Name="DCName">
        </Data>
      </EventData>
    </Event>

    also this one

    Log Name:      System
    Source:        Microsoft-Windows-GroupPolicy
    Date:          1/25/2013 3:18:51 PM
    Event ID:      1058
    Task Category: None
    Level:         Error
    Keywords:     
    User:          SYSTEM
    Computer:      computernam.domainname.somthing
    Description:
    The processing of Group Policy failed. Windows attempted to read the file \\computernam.domainname.somthing\sysvol\computernam.domainname.somthing\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
    a) Name Resolution/Network Connectivity to the current domain controller.
    b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
    c) The Distributed File System (DFS) client has been disabled.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-GroupPolicy" Guid="{aea1b4fa-97d1-45f2-a64c-4d69fffd92c9}" />
        <EventID>1058</EventID>
        <Version>0</Version>
        <Level>2</Level>
        <Task>0</Task>
        <Opcode>1</Opcode>
        <Keywords>0x8000000000000000</Keywords>
        <TimeCreated SystemTime="2013-01-25T12:18:51.515528300Z" />
        <EventRecordID>44469</EventRecordID>
        <Correlation ActivityID="{ECE8C338-ACE0-4819-89FB-7DB79231696E}" />
        <Execution ProcessID="1392" ThreadID="3236" />
        <Channel>System</Channel>
        <Computer>computernam.domainname.somthing</Computer>
        <Security UserID="S-1-5-18" />
      </System>
      <EventData>
        <Data Name="SupportInfo1">4</Data>
        <Data Name="SupportInfo2">840</Data>
        <Data Name="ProcessingMode">0</Data>
        <Data Name="ProcessingTimeInMilliseconds">28018</Data>
        <Data Name="ErrorCode">1352</Data>
        <Data Name="ErrorDescription">The security account manager (SAM) or local security authority (LSA) server was in the wrong state to perform the security operation. </Data>
        <Data Name="DCName">computernam.domainname.somthing</Data>
        <Data Name="GPOCNName">CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=computernam.domainname.somthing,DC=local</Data>
        <Data Name="FilePath">\\computernam.domainname.somthing\sysvol\computernam.domainname.somthing\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini</Data>
      </EventData>
    </Event>

    when I join newly installed machine to the domain everything works fine even the affected ones after reformatting them

     any help or idea will be appreciate it

    shad

     

    Monday, March 25, 2013 11:03 AM

Answers

All replies

  •  
    > The processing of Group Policy failed. Windows attempted to read the
    > file
    > \\computernam.domainname.somthing\sysvol\computernam.domainname.somthing\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini
    > <file://%5C%5Ccomputernam.domainname.somthing%5Csysvol%5Ccomputernam.domainname.somthing%5CPolicies%5C%7B31B2F340-016D-11D2-945F-00C04FB984F9%7D%5Cgpt.ini>
    > from a domain controller and was not successful. Group Policy settings
    > may not be applied until this event is resolved. This issue may be
    > transient and could be caused by one or more of the following:
     
    Check Sysvol replication... (DFSR or NTFRS)
     

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    Monday, March 25, 2013 7:26 PM
  • Hi,

    Thanks for posting your issue in the forum.

    Regarding the current issue, since Event ID 1058 and 1006 were logged when applying Group Policy, I suggest we could refer to the following articles for troubleshooting.

    Event ID 1058 — Group Policy Preprocessing (Networking)

    http://technet.microsoft.com/en-us/library/cc727259(v=ws.10).aspx

    Event ID 1058 — Group Policy Preprocessing (Networking)

    http://social.technet.microsoft.com/wiki/contents/articles/1456.event-id-1058-group-policy-preprocessing-networking.aspx

    Event ID: 1058 Source: Userenv

    http://www.eventid.net/display.asp?eventid=1058&eventno=1542&source=Userenv&phase=1

    Event ID 1006 — Group Policy Preprocessing (Active Directory)

    http://technet.microsoft.com/en-us/library/cc727283(v=ws.10).aspx

    Hope this helps.

    Best Regards,

    Andy Qi

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.


    Andy Qi
    TechNet Community Support

    • Marked as answer by Shad Qadir Wednesday, March 27, 2013 5:11 AM
    Tuesday, March 26, 2013 7:52 AM
  • thank you andy & martin

    I followed the instructions you provided .the replication process is fine and efficient for now at least .

    thank you very much   

    Wednesday, March 27, 2013 5:11 AM
  •  
    > I followed the instructions you provided .the replication process is
    > fine and efficient for now at least .
     
    Was it in error before? ANd hopefully, AD replication is fine, too?
     

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    Thursday, March 28, 2013 11:00 PM
  • thank you for your post martin,

    yes It was but as I mentioned after re formatting all the systems start happing a gain , also I did check the replication it is fine and functioning as far as I collected the information about this issue I can say %18 of all machines was affected there are no way to apply the missing policy to affected machines .I will re format them

    shad

    Monday, April 01, 2013 11:12 AM
  • Am 01.04.2013 13:12, schrieb shad.q:
    > .I will re format them
     
    Sometimes, that's not as bad an idea as it sounds at first glance ;-)
    Good luck!
     

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    Monday, April 01, 2013 9:20 PM