none
Group Policy Errors

    Question

  • Hi TechNet Community,

    I am currently running into a roadblock with Group Policy, and I am unsure exactly what might be causing the problem.

    Domain Level Server 2012 R2

    Windows 7 Professional Clients

    When I run GPUpdate /force from an elevated command prompt, I receive this error:

    When I run Resultant Set of Policy (rsop.msc), I receive this error only on the User Configuration GPO section:

    Tuesday, January 24, 2017 2:02:36 PM

    Group Policy Infrastructure failed due to the error listed below.

    The data is invalid.

    Note:  Due to the GP Core failure, none of the other Group Policy components processed their policy.  Consequently, status information for the other components is not available.

    I researched this error, I found that this could be a result of improperly configured DNS servers configured on the domain controllers.  Sure enough, I had configured the alternative DNS servers to point to 127.0.0.  But t changing these to the private IP addresses of the local DC did not resolve the issue.

    I then looked within the properties of User Configuration of RSOP to see which policies have applied, and policies that have not, and found that there are two GPOs that have been deleted, but are still being applied.  And the GPOs that are under the red box annotation are shown to have a linked scope to the domain within RSOP, but they are currently not linked to the domain, and are only linked to OUs.

    I confirmed that these stale GPOs are being applied to every other user on our domain.


    I have attempted to recreate these User Configuration GPOs in attempts to eliminate the stale, tattoo’d GPO that is still being applied.

    I have tested that SYSVOL DFS-R replication is healthy, via the DFS-R propagation and reporting tools on the domain controllers, but that the replication time is 39 minutes from one of our remote AWS domain controllers.  As well as I used the AD Replication Status Tool to ensure that replication has no errors among domain controllers.  DCDIAG throws an error for the SystemLog, but I believe that is unrelated.

    I have since also ensured that the replication topology is in a good state based upon our network infrastructure, and have tested a manually replication task within AD Sites and Services.

    Thank you for your assistance in advance!

    Gpresult /v is too long to post in this.



    Daniel Scoland Windows 7 Professional SharePoint 2010 Microsoft Office 2010

    Wednesday, January 25, 2017 7:50 PM

Answers

  • Hi Daniel!

    Firstly, from the screenshot I can see that those GPOs are, in fact, not applied: the first one in denied due to security filtering and the second one is empty, i.e. does not contain any settings. Please confirm if my assumptions are correct.

    Secondly, please DO collect and share with us relevant log-files:

    1. Enable GP debugging log as describer here. After reproducing the problem, please, upload Gpsvc.log to OneDrive or similar cloud storage.

    2. Export "Applications and Services Logs\Microsoft\Windows\Group Policy\Operational" event log. Do not forget to export English display information. Upload EVTX with the corresponding MTA file into OneDrive or similar cloud storage.

    3. Please collect outputs of "gpresult /v", "gpresult /h" commands (run them in an elevated console) and upload them into the cloud too.

    4. Finally, please collect filtered output (again, with English display information) of the System event log. To filter the log use the following XPath query:

    <QueryList>
      <Query Id="0" Path="System">
        <Select Path="System">*[System[Provider[@Name='Application Management Group Policy' or @Name='Group Policy Environment' or @Name='Group Policy Management' or @Name='Group Policy Standard Edition' or @Name='GroupPolicy' or @Name='Microsoft-Windows-GroupPolicy' or @Name='Microsoft-Windows-GroupPolicyTriggerProvider']]]</Select>
      </Query>
    </QueryList>
    You need to insert the code at the "XML" tab in the "Filter Current Log" window.


    https://exchange12rocks.org/ | http://about.me/exchange12rocks

    • Marked as answer by dscoland Friday, January 27, 2017 3:42 PM
    Wednesday, January 25, 2017 9:25 PM

All replies

  • Hi Daniel!

    Firstly, from the screenshot I can see that those GPOs are, in fact, not applied: the first one in denied due to security filtering and the second one is empty, i.e. does not contain any settings. Please confirm if my assumptions are correct.

    Secondly, please DO collect and share with us relevant log-files:

    1. Enable GP debugging log as describer here. After reproducing the problem, please, upload Gpsvc.log to OneDrive or similar cloud storage.

    2. Export "Applications and Services Logs\Microsoft\Windows\Group Policy\Operational" event log. Do not forget to export English display information. Upload EVTX with the corresponding MTA file into OneDrive or similar cloud storage.

    3. Please collect outputs of "gpresult /v", "gpresult /h" commands (run them in an elevated console) and upload them into the cloud too.

    4. Finally, please collect filtered output (again, with English display information) of the System event log. To filter the log use the following XPath query:

    <QueryList>
      <Query Id="0" Path="System">
        <Select Path="System">*[System[Provider[@Name='Application Management Group Policy' or @Name='Group Policy Environment' or @Name='Group Policy Management' or @Name='Group Policy Standard Edition' or @Name='GroupPolicy' or @Name='Microsoft-Windows-GroupPolicy' or @Name='Microsoft-Windows-GroupPolicyTriggerProvider']]]</Select>
      </Query>
    </QueryList>
    You need to insert the code at the "XML" tab in the "Filter Current Log" window.


    https://exchange12rocks.org/ | http://about.me/exchange12rocks

    • Marked as answer by dscoland Friday, January 27, 2017 3:42 PM
    Wednesday, January 25, 2017 9:25 PM
  • Hi Kirill,

    I have send you a Google Drive invitation to your e-mail.

    This is greatly appreciated,

    Daniel


    Daniel Scoland Windows 7 Professional SharePoint 2010 Microsoft Office 2010

    Wednesday, January 25, 2017 9:57 PM
  • Thank you Daniel,

    I've reviewed the files: I see the following error in gpsvc.log:

    EvaluateDeferredOUs: Object <OU=CompanyName Users,DC=CompanyName,DC=net> cannot be accessed

    In System log there are Event IDs 1101 with the following text:

    The processing of Group Policy failed. Windows could not locate the directory object OU=CompanyName Users,DC=CompanyName,DC=net. Group Policy settings will not be enforced until this event is resolved. View the event details for more information on this error.

    Please ensure that both the current user and the computer account can read all attributes at that OU object, specifically gPLink and gPOptions.


    https://exchange12rocks.org/ | http://about.me/exchange12rocks


    Wednesday, January 25, 2017 11:30 PM
  • We had deny permissions set to the Everyone security group that was causing the issue.

    I set back to Microsoft recommended defaults for Read and Read all properties on the OU and the Domain.

    Thank you!


    Daniel Scoland CompTIA Security+ IT Professional

    Friday, January 27, 2017 3:42 PM
  • Happy to help!

    https://exchange12rocks.org/ | http://about.me/exchange12rocks

    Friday, January 27, 2017 8:32 PM