none
GPUPDATE fails to apply computer settings "Access Denied"

    Question

  • A single Windows 7 Pro workstation on HP Compaq Pro 6305 SFF in a small business with 1 DC (Small Business Server 2008) errors on gpupdate /force with the following: The processing of Group policy failed.  Windows could not resolve the computer name. This could be caused by one or more of the following:

    a) Name Resolution failure on the current domain controller.
    b) Active Directory Replication Latency (an account created on another domain co
    ntroller has not replicated to the current domain controller).

    To diagnose the failure, review the event log or run GPRESULT /H GPReport.html f
    rom the command line to access information about Group Policy results.

    GPresults produced:

    (I edited out private info and replaced with generic placeholders in italics)

    I am concerned that the Domain name and Domain type in Computer Settings are different from the ones in User Settings.

    C:\Users\username>gpresult /r

    Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
    Copyright (C) Microsoft Corp. 1981-2001

    Created On 4/8/2016 at 7:21:27 AM


    RSOP data for Mydomain\Username on FPB2015-HP : Logging Mode
    ----------------------------------------------------------------

    OS Configuration:            Member Workstation
    OS Version:                  6.1.7601
    Site Name:                   N/A
    Roaming Profile:             N/A
    Local Profile:               C:\Users\Username
    Connected over a slow link?: No


    COMPUTER SETTINGS
    ------------------
        CN=FPB2015-HP,OU=SBSComputers,OU=Computers,OU=MyBusiness,DC=Mydomain,DC=
    local
        Last time Group Policy was applied: 4/8/2016 at 7:15:23 AM
        Group Policy was applied from:      N/A
        Group Policy slow link threshold:   500 kbps
        Domain Name:                        TLG10HO333E2J
        Domain Type:                        WindowsNT 4

        Applied Group Policy Objects
        -----------------------------
            N/A

        The following GPOs were not applied because they were filtered out
        -------------------------------------------------------------------
            Local Group Policy
                Filtering:  Not Applied (Empty)

        The computer is a part of the following security groups
        -------------------------------------------------------
            BUILTIN\Administrators
            Everyone
            NT AUTHORITY\Authenticated Users
            System Mandatory Level


    USER SETTINGS
    --------------
        CN=Username,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=Mydomain,
    DC=local
        Last time Group Policy was applied: 4/8/2016 at 7:15:23 AM
        Group Policy was applied from:      Myserver.mydomain.local
        Group Policy slow link threshold:   500 kbps
        Domain Name:                        Mydomain
        Domain Type:                        Windows 2000

        Applied Group Policy Objects
        -----------------------------
            Windows SBS CSE Policy
            Small Business Server Folder Redirection Policy

        The following GPOs were not applied because they were filtered out
        -------------------------------------------------------------------
            Default Domain Policy
                Filtering:  Not Applied (Empty)

            Local Group Policy
                Filtering:  Not Applied (Empty)

            Windows SBS User Policy
                Filtering:  Denied (Security)

            File/Print Deployment All Users
                Filtering:  Denied (Security)

        The user is a part of the following security groups
        ---------------------------------------------------
            Domain Users
            Everyone
            BUILTIN\Users
            NT AUTHORITY\INTERACTIVE
            CONSOLE LOGON
            NT AUTHORITY\Authenticated Users
            This Organization
            LOCAL
            Windows SBS Folder Redirection Accounts
            Medium Mandatory Level

    C:\Users\username>

    Event Viewer logs the following after GPupdate:

    System Log:

    EventID 1055

    Group policy Operational log:

    EventID 7017

    EventID 7320

    EventID 7004

    The following has already been tried:

    From afflicted machine, browsed to each and every Policy folder within sysvol, couldn't find any security issues or access denied.

    Reset Password on the Computer account in AD on the DC.

    Disjoined the workstation from the domain, deleted the computer account on DC and rejoined.

    This machine resides in same OU as all other workstations which are functional.

    This particular machine has many applications which are critical to the business, so re-install of OS is a very last resort.

    Any help is much appreciated.

    Brian

    Friday, April 8, 2016 12:35 PM

Answers

  • Hi Brian,

    Would you post detailed information about Event ID 1055?

    I guess the event ID 1055 in your event viewer with error code 525, which means the specified user do not exist.

    This error code might indicate incorrect permissions on the organizational unit. The user requires read access to the organizational unit that contains the user object. Similarly, computers require read access to the organizational unit that contains the computer object.

    For more information, you could refer to the article below.

    Event ID 1055 — Group Policy Preprocessing (Security)

    https://technet.microsoft.com/en-us/library/cc727272(v=WS.10).aspx

    Is the Admistrator member of Domain Admin?

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, April 20, 2016 6:21 AM
    Moderator

All replies

  • This might be a completely unrelated coincidence, but when I trigger a gpupdate, I am seeing a Audit Failure on the DC event viewer from the problematic workstation, and it appears to be using the misspelled username Admistrator....  Could they be related?  My gpreport.html shows access denied.
    Friday, April 8, 2016 3:55 PM
  • Okay,  I kind of solved my error.  I created the misspelled admistrator account in AD.  Now Group policy processes fine....  Please does anybody know how to make this right to get rid of this mispelled account?
    Friday, April 8, 2016 4:26 PM
  • You can just rename or delete this account in Active Directory Users and Computers.

    https://technet.microsoft.com/en-us/library/cc772952%28v=ws.10%29.aspx

    If you mean to delete this account from local groups on the computer you can manage clients trough Active Directory Users and Computers and remove the account or using a script:

    http://powershell.com/cs/media/p/2332.aspx


    Kind regards,

    Tim
    MCITP, MCTS, MCSA
    http://directoryadmin.blogspot.com

    This posting is provided 'AS IS' with no warranties or guarantees and confers no rights.

    "If this thread answered your question, please click on "Mark as Answer"

    Saturday, April 9, 2016 5:58 AM
  • Hi Brian,

    What is the situation?

    Have you solved your problem?

    If you do not want to use the account, you could also disable the account and create another account and add it to Domain Admin Group.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, April 12, 2016 9:30 AM
    Moderator
  • Gentlemen, (I boldfaced the misspelled account name in my post to try to make it easier to read)

    Thank you for your replies, my issue is not resolved, but currently in a workaround status.  Perhaps my last posts were not clear.  This particular workstation continues to try to authenticate to the domain controller using the username admistrator, instead of administrator.  I created an AD user using the misspelled admistrator in addition to the standard administrator account that is inherent in Active Directory.  If I disable the admistrator user in AD, this workstation fails to apply computer setting in group policy, and I begin seeing audit failures on the domain controller in the security logs.  So my opinion is that this workstation has this incorrect spelling of admistrator cached somewhere and will only apply group policy settings if it can authenticate using admistrator.  I would like to delete this admistrator account, but if I do I am back to square one.  I think I need assistance finding where this is cached on the Win 7 Pro workstation.  I checked credential manager in control panel, and deleted all entries that I could see, but I am at a loss as to how to proceed.

    Thank you.

    Tuesday, April 12, 2016 3:33 PM
  • Hi Brian,

    Would you post detailed information about Event ID 1055?

    I guess the event ID 1055 in your event viewer with error code 525, which means the specified user do not exist.

    This error code might indicate incorrect permissions on the organizational unit. The user requires read access to the organizational unit that contains the user object. Similarly, computers require read access to the organizational unit that contains the computer object.

    For more information, you could refer to the article below.

    Event ID 1055 — Group Policy Preprocessing (Security)

    https://technet.microsoft.com/en-us/library/cc727272(v=WS.10).aspx

    Is the Admistrator member of Domain Admin?

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, April 20, 2016 6:21 AM
    Moderator
  • Hi,

    Are there any updates?

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Saturday, April 23, 2016 3:31 AM
    Moderator