none
Client-Side Extension could not apply user policy settings / There is a time and/or date difference between the client and server

    Question

  • So I'm having some time/date issues pertaining to group policies.  I'll try to explain the situation as simply as I can.  

    We have 3 servers outside the US (they are an hour behind in time from our PDC time because of their time zone).  Those servers were in a domain that is setup as a two way trust with our domain in the US.  

    Now, two of those servers were joined to our domain.  The remaining server which happens to be their domain controller has not been demoted and then promoted on our domain yet.  Here is the problem I'm having:

    Users on our domain RDP into those two servers that were joined to our domain.  They process group policies located on our domain.  The problem that we are having is that not all the policy settings are being applied.  I am seeing these messages in the event viewer:

    The client-side extension could not apply user policy settings for 'GroupPolicy Name F57D3-3F35-4747-8E3A-C89EE330FAF8}' because it failed with error code '0x80070576 There is a time and/or date difference between the client and server.' See trace file for more details.

    So what I did is went to every domain controller in our domain and the trusted domain and synced up the time with our PDC.  It applies the time zone during the sync but they are all synced up.  The servers that we joined to our domain are also synced up with the PDC but I'm still getting this message.  

    I read somewhere about the kerberos time threshold and how you can change that from the default 5 minutes to whatever you want.  But I shouldn't have to do that, the group policy should see that the time is synced up but the server is just in a different time zone from where it's pulling the group policies from.  Can anyone help?  


    Thursday, November 17, 2016 7:46 PM

All replies

  • Hi,
     
    Am 17.11.2016 um 20:46 schrieb PPIbrad:
    > We have 3 servers outside the US (they are an hour behind in time
    > from our PDC time because of their *time zone*).
     
    Timezone shouldn´t matter, because it´s timezone, not time.
    The 5 minute Kerberos difference, will be calculated right.
     
    > 'GroupPolicy Name F57D3-3F35-4747-8E3A-C89EE330FAF8}' because it
    > failed with error code '0x80070576 There is a time and/or date
    > difference between the client and server.'
     
    Which CSE does fail? What is inside this GPO?
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    • Proposed as answer by Todd Heron Friday, November 18, 2016 12:20 PM
    Friday, November 18, 2016 7:08 AM
  • Hi,
     
    Am 17.11.2016 um 20:46 schrieb PPIbrad:
    > We have 3 servers outside the US (they are an hour behind in time
    > from our PDC time because of their *time zone*).
     
    Timezone shouldn´t matter, because it´s timezone, not time.
    The 5 minute Kerberos difference, will be calculated right.
     
    > 'GroupPolicy Name F57D3-3F35-4747-8E3A-C89EE330FAF8}' because it
    > failed with error code '0x80070576 There is a time and/or date
    > difference between the client and server.'
     
    Which CSE does fail? What is inside this GPO?
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    How do I tell what CSE is failing?  Is there a log location I can go to?  I do know that the drive mappings in the group policy are not being applied and also there are some start menu lockdown policies that are also not being applied.  
    Friday, November 18, 2016 1:17 PM
  • Hi,
     
    Am 18.11.2016 um 14:17 schrieb PPIbrad:
    > How do I tell what CSE is failing?
     
    You can enable the gpsvc logging
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
    NT\CurrentVersion\Diagnostics]
    "GPsvcDebugLevel"=dword:00030002
     
    and debug the file %windir%\debug with notepad or Sysprosoft Policy
    Reporter.
     
    For testing, without loggging, you can enable/disable Items within
    Preferences. Sadly this can be done only in the preferences.
    (mark all -> right mouseclick -> disable)
     
    Probably its a bug within CSE. You are runnign Windows 10 or 7?
    MS16-072 should contain the most actual GPClients CSEs
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    Friday, November 18, 2016 4:04 PM
  • > and debug the file %windir%\debug with notepad or Sysprosoft Policy
    > Reporter.
     
    C:\Windows\Debug\Usermode\gpsvc.log
     
    The folder "Usermode" MUST be created in advance, it will not be created
    automatically and it does not exist by default.
     
    Sunday, November 20, 2016 2:24 PM
  • Hi,
     
    Am 18.11.2016 um 14:17 schrieb PPIbrad:
    > How do I tell what CSE is failing?
     
    You can enable the gpsvc logging
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
    NT\CurrentVersion\Diagnostics]
    "GPsvcDebugLevel"=dword:00030002
     
    and debug the file %windir%\debug with notepad or Sysprosoft Policy
    Reporter.
     
    For testing, without loggging, you can enable/disable Items within
    Preferences. Sadly this can be done only in the preferences.
    (mark all -> right mouseclick -> disable)
     
    Probably its a bug within CSE. You are runnign Windows 10 or 7?
    MS16-072 should contain the most actual GPClients CSEs
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    The "Diagnostics" key does not exist under 
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows

    NT\CurrentVersion\

    Also, where exactly do you enable/disable these items.  Items within Preferences where?  Where is Preferences?  

    For testing, without loggging, you can enable/disable Items within
    Preferences. Sadly this can be done only in the preferences.
    (mark all -> right mouseclick -> disable)

    For some reason, I'm no longer seeing the time/date events any longer.  Now I'm seeing these messages:

    Event ID: 4098

    The user 'Attributes' preference item in the Group Policy Name did not apply because it failed with error code '0x80070005 Access is denied'.  

    Tuesday, November 22, 2016 3:03 PM
  • Hi,
     
    Am 22.11.2016 um 16:03 schrieb PPIbrad:
    > The "Diagnostics" key does not exist
     
    Do you think, you should handle GPOs, if you are not able to handle
    registry?
     
    Create the entry if it does not exist.
     
    > Also, where exactly do you enable/disable these items.  Items within
    > Preferences where?  Where is Preferences?
     
    Please get someone to help you, you have never taken a look inside the
    GPEditor. It´s obviously showing "Policies" and "Preferences" benneeth
    Computer and Userconfiguration.
     
    > The user 'Attributes' preference item in the Group Policy Name did
    > not apply because it failed with error code '0x80070005 Access is
    > denied'.
     
    MS16-072. You did remove the Authenticated Users.
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    Tuesday, November 22, 2016 5:40 PM
  • Hi,
     
    Am 22.11.2016 um 16:03 schrieb PPIbrad:
    > The "Diagnostics" key does not exist
     
    Do you think, you should handle GPOs, if you are not able to handle
    registry?
     
    Create the entry if it does not exist.
     
    > Also, where exactly do you enable/disable these items.  Items within
    > Preferences where?  Where is Preferences?
     
    Please get someone to help you, you have never taken a look inside the
    GPEditor. It´s obviously showing "Policies" and "Preferences" benneeth
    Computer and Userconfiguration.
     
    > The user 'Attributes' preference item in the Group Policy Name did
    > not apply because it failed with error code '0x80070005 Access is
    > denied'.
     
    MS16-072. You did remove the Authenticated Users.
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     

    First of all I come here to get help not to be judged or questioned on whether or not I should be handling GPOs.  I create and manage GPOs all the time.  You weren't specific with which Preferences you wanted me to disable/enable.  Of course I know where they are in the GPO, I'm in the editor all the time making changes. But "Preferences" are in quite more than GPOs.    

    As far as the registry, I know the registry very well.  I used to script registry changes.  You never said anything about creating a key, that's why I mentioned that the key was not there.  I wasn't sure if it was located elsewhere or not or if I should create a key.  Specifics.....

    And regarding delegation, the GPO has a group in it that lists all the users that should be applying the policy.  This special group has read access.  Authenticated users was listed so I went ahead and removed it.  I'll see what happens.  Thank you very much.  

    Tuesday, November 22, 2016 6:07 PM
  • Hi,

    Just want to confirm the current situations.

    Please feel free to let us know if you need further assistance.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, November 25, 2016 5:36 AM
    Moderator