none
gpupdate/force fails on Windows 7 domain members

    Question

  • Hi Folks,

    I have Windows Server 2008R2 Domain Controller (srvr) and a Windows 7 Domain Member (clnt). When I execute "gpupdate/force" on clnt, I get the following text:

    C:\Windows\system32>gpupdate/forceUpdating Policy...

    User policy could not be updated successfully. The following errors were encountered:

    The processing of Group Policy failed. Windows attempted to retrieve new Group Policy settings for this user or computer. Look in the details tab for error code and description. Windows will automatically retry this operation at the next refresh cycle. Computers joined to the domain must have proper name resolution and network connectivity to a domain controller for discovery of new Group Policy objects and settings. An event will be logged when Group Policy is successful. Computer policy could not be updated successfully. The following errors were encountered:

    The processing of Group Policy failed. Windows could not apply the registry-based policy settings for the Group Policy object LDAP://CN=Machine,cn={C22E6C80-D4C3-4FEA-B2BA-FE43D8B931EB},cn=policies,cn=system,DC=TCLC,DC=org. Group Policy settings will not be resolved until this event is resolved. View the event details for more information on the file name and path that caused the failure. The following warnings were encountered during computer policy processing:

    Windows failed to apply the Group Policy Local Users and Groups settings. Group Policy Local Users and Groups settings might have its own log file. Please click on the "More information" link. Windows failed to apply the Group Policy Registry settings. Group Policy Registry settings might have its own log file. Please click on the "More information" link.

    To diagnose the failure, review the event log or run GPRESULT /H GPReport.html from the command line to access information about Group Policy results.

    In the event log, also on clnt:

    + System
    - Provider
    [ Name] Microsoft-Windows-GroupPolicy
    [ Guid] {AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}
    EventID 1030
    Version 0
    Level 2
    Task 0
    Opcode 1
    Keywords 0x8000000000000000
    - TimeCreated
    [ SystemTime] 2016-07-23T22:00:21.490699100Z
    EventRecordID 560506
    - Correlation
    [ ActivityID] {66E62F91-32C7-4000-AF16-B507270A64F6}
    - Execution
    [ ProcessID] 584
    [ ThreadID] 2108
    Channel System
    Computer ORDER.TCLC.org
    - Security
    [ UserID] S-1-5-21-2272066503-1558053515-3376931032-1159
    - EventData
    SupportInfo1 1
    SupportInfo2 2541
    ProcessingMode 0
    ProcessingTimeInMilliseconds 764
    ErrorCode 1326
    ErrorDescription Logon failure: unknown user name or bad password.
    DCName \\Justice.TCLC.org

    So, that's pretty clear. And interestingly, I have recently changed my password for both myself and the administrative account. However, I have been through and I have changed them to the same value everywhere, so it is not clear what username/password is in question. Additionally, this is the only machine complaining. I can log on to any machine in the domain, including this one, with both my newly changed credentials and those of the administrative user.

    I have removed the machine from the domain and re-joined the domain. This had no effect. I have a few machine in this domain but only one is behaving badly.

    I've tried a number of procedures to clear the GPO cache, but I have not resolved the problem, so either clearing the GPO cache is not germain or I am not actually doing what I think I'm doing.

    How do I troubleshoot this?

    Thanks for the help.

    Chris.


    Thanks for the help,

    Chris.

    Saturday, July 23, 2016 11:00 PM

All replies

  • I can't see the correlation between the two items [gpupdate output & the EVT] (maybe you've already confirmed they are related?):

    Windows could not apply the registry-based policy settings for the Group Policy object LDAP://CN=Machine,cn={C22E6C80-D4C3-4FEA-B2BA-FE43D8B931EB},cn=policies,cn=system,DC=TCLC,DC=org.

    Windows failed to apply the Group Policy Local Users and Groups settings. Group Policy Local Users and Groups settings might have its own log file. Please click on the "More information" link. Windows failed to apply the Group Policy Registry settings. Group Policy Registry settings might have its own log file. Please click on the "More information" link.

    Does that specified GPO GUID actually invoke GPP-LUG & GPP-Reg CSE's?

    Did gpresult /h somefile.html, reveal anything useful?

    Try enabling the verbose logging/tracing (guide below) to see if you learn anything else from the extra detail.

    http://www.verboon.info/2013/08/how-to-enable-group-policy-preferences-logging-via-the-local-group-policy-editor/

    http://www.virtuallyimpossible.co.uk/enable-group-policy-preference-logging-and-tracing/

    https://blogs.technet.microsoft.com/askds/2008/07/18/enabling-group-policy-preferences-debug-logging-using-the-rsat/

    Assuming it's a 'machine' policy, and assuming you've not enabled "Run in Logged on User’s Security Context", the account in question would be the computer account/object, and not the user account/object.

    Also assuming you aren't using/haven't enabled GP Loopback Processing?


    Don [doesn't work for MSFT, and they're probably glad about that ;]


    • Edited by DonPick Saturday, July 23, 2016 11:33 PM
    • Proposed as answer by Jay GuModerator Thursday, July 28, 2016 5:11 AM
    • Unproposed as answer by cjm51213 Thursday, July 28, 2016 2:33 PM
    Saturday, July 23, 2016 11:32 PM
  • Hi Chris,

    This issue occurs when there is an absence of authenticated connectivity from the computer to the domain controller.

    I suggest you use ipconfig /all and dcdiag /v command to check the network connectivity and the health of your domain.

    For the event, you could take a look:

    Event ID 1030 — Group Policy Preprocessing (Active Directory)

    https://technet.microsoft.com/en-us/library/dd392566(v=ws.10).aspx

    Here is a similar thread below may be helpful to you.

    Failure of Active Directory supported services

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/41fe5282-9190-462b-b1a0-9b39fd093163/failure-of-active-directory-supported-services?forum=winserverDS

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Jay GuModerator Thursday, July 28, 2016 5:11 AM
    • Unproposed as answer by cjm51213 Thursday, July 28, 2016 2:33 PM
    Monday, July 25, 2016 2:53 AM
    Moderator
  • I can't see the correlation between the two items [gpupdate output & the EVT] (maybe you've already confirmed they are related?):

    Yes.


    Windows could not apply the registry-based policy settings for the Group Policy object LDAP://CN=Machine,cn={C22E6C80-D4C3-4FEA-B2BA-FE43D8B931EB},cn=policies,cn=system,DC=TCLC,DC=org.

    Windows failed to apply the Group Policy Local Users and Groups settings. Group Policy Local Users and Groups settings might have its own log file. Please click on the "More information" link. Windows failed to apply the Group Policy Registry settings. Group Policy Registry settings might have its own log file. Please click on the "More information" link.

    Does that specified GPO GUID actually invoke GPP-LUG & GPP-Reg CSE's?

    Did gpresult /h somefile.html, reveal anything useful?

    No.



    Try enabling the verbose logging/tracing (guide below) to see if you learn anything else from the extra detail.

    http://www.verboon.info/2013/08/how-to-enable-group-policy-preferences-logging-via-the-local-group-policy-editor/

    http://www.virtuallyimpossible.co.uk/enable-group-policy-preference-logging-and-tracing/

    https://blogs.technet.microsoft.com/askds/2008/07/18/enabling-group-policy-preferences-debug-logging-using-the-rsat/

    There is a list of twenty or so such policies, and even if I knew which policy, the whole problem is that I CAN'T gpupdate/force on this client, so I can't invoke a logging/tracing policy. I would desperately like to know which credentials are invalid. I have removed this client from the domain and re-joined, so that should be correct and I have been quite diligent about changing my administrative username password both locally and in ADUC.


    Assuming it's a 'machine' policy, and assuming you've not enabled "Run in Logged on User’s Security Context", the account in question would be the computer account/object, and not the user account/object.


    I doubt the security context is the issue, since this is the only machine exhibiting this pathology, and the security context is controlled bu Group Policy across the domain.


    Thanks for the help,

    Chris.


    • Edited by cjm51213 Friday, July 29, 2016 2:53 PM
    Thursday, July 28, 2016 4:56 PM
  • This issue occurs when there is an absence of authenticated connectivity from the computer to the domain controller.

    I suspect this as well because this behavior would be explained, but I am unable to confirm this by any means, meaning all attempts to demonstrate this lack of authenticated connectivity prove that there is, in fact, authenticated connectivity.


    I suggest you use ipconfig /all and dcdiag /v command to check the network connectivity and the health of your domain.

    ipconfig shows me exactly what you would expect. DHCP assigned values, all in the correct range. dcdiag is a domain controller command, which is not the problem because the problem is limited to only one domain member desktop and dcdiag has no relevance to non-domain controllers.


    Thanks for the help,

    Chris.



    • Edited by cjm51213 Friday, July 29, 2016 2:53 PM
    Friday, July 29, 2016 2:51 PM
  • Hi Chris,

    Try to follow the instruction of the article below to troubleshoot the problem.

    Troubleshooting Group Policy Using Event Logs

    https://technet.microsoft.com/zh-CN/library/7e940882-33b7-43db-b097-f3752c84f67f

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, August 04, 2016 1:06 PM
    Moderator