none
GPO(s) not being applied, Current Bandwidth >= Bandwidth Threshold?

    Question

  • We've recently had a rash of group policies that just "stop" applying. Today I spent most of the day troubleshooting and here's where I'm at.

    RSOP.msc, when I look at "Display all GPOs and filtering status"

    cn={8F0AF15B-CA97-4630-B0CF-17BE7017D128},cn=policies,cn=system,DC=UnitedCamera,DC=local
    Not Applied (Unknown reason)

    Found information on how to turn on gpsvc.log to try and get more information. What I find around this particular GPO is this:

    ...
    GPSVC(31c.f30) 15:15:29:298 GetBandwidthEstimate returned Bandwidth = 640584.
    GPSVC(31c.f30) 15:15:29:298 GetBandwidthEstimate returned Latency = 0.
    GPSVC(31c.f30) 15:15:29:298 GetBandwidthEstimate returned Cost = 0.
    GPSVC(31c.f30) 15:15:29:298 GetBandwidthEstimate returned Connection Type = 6.
    GPSVC(31c.f30) 15:15:29:298 GetBandwidthEstimate returned Direct Access = 0.
    GPSVC(31c.f30) 15:15:29:298 IsSlowLink: Bandwidth Threshold (WINLOGON) = 500.
    GPSVC(31c.f30) 15:15:29:299 IsSlowLink: WWAN Policy (SYSTEM) = 0.
    GPSVC(31c.f30) 15:15:29:299 IsSlowLink: Current Bandwidth >= Bandwidth Threshold.
    GPSVC(31c.f30) 15:15:29:299 EvalList: Object <cn={8F0AF15B-CA97-4630-B0CF-17BE7017D128},cn=policies,cn=system,DC=UnitedCamera,DC=local> cannot be accessed
    ...

    In this case both the client and DC are virtual machines on the same physical hardware. Watching through the VM console we do not see any excessively high virtual network utilization on either machine. The same problem has also been seen between physical clients and our physical DC, so I don't think it's VM related.

    Problem started about 3 weeks ago, unfortunately our change tracking isn't sufficient to tell us if we did any patching or updates to clients or servers that may be causing this.

    I've read a couple TechNet posts on Group Policy Slow Link Detection as well as A Treatise on Group Policy Troubleshooting–now with GPSVC Log Analysis!

    Both were very informational, however neither helped me understand what may be the root cause of the problem or what I can do to reach a resolution.

    Monday, July 18, 2016 9:18 PM

Answers

  • Hi,

    Thanks for your post.

    In my opinion, the problem may be caused by installing the update MS16-072.

    I suggest you try to fix the problem with the following actions.

    1. Add the Authenticated Users group with Read Permissions on the Group Policy Object (GPO).
    2. If you are using security filtering, add the Domain Computers group with read permission.

    For more information, you could refer to the articles below.

    MS16-072: Security update for Group Policy: June 14, 2016

    https://support.microsoft.com/en-us/kb/3163622

    MS16-072 – Known Issue – Use PowerShell to Check GPOs

    https://blogs.technet.microsoft.com/poshchap/2016/06/16/ms16-072-known-issue-use-powershell-to-check-gpos/

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, July 19, 2016 7:48 AM
    Moderator

All replies

  • Was just able to determine that we patched our domain controllers on 6/26, and the problem started with GPO(s) being applied on 6/27. Here's what was installed on our 2012 DC.

    ***,http://support.microsoft.com/?kbid=3156418,***,Update,KB3156418,6/26/2016
    ***,http://support.microsoft.com/?kbid=3157569,***,Security Update,KB3157569,6/26/2016
    ***,http://support.microsoft.com/?kbid=3159398,***,Security Update,KB3159398,6/26/2016
    ***,http://support.microsoft.com/?kbid=3160005,***,Security Update,KB3160005,6/26/2016
    ***,http://support.microsoft.com/?kbid=3160352,***,Security Update,KB3160352,6/26/2016
    ***,http://support.microsoft.com/?kbid=3161561,***,Security Update,KB3161561,6/26/2016
    ***,http://support.microsoft.com/?kbid=3161606,***,Update,KB3161606,6/26/2016
    ***,http://support.microsoft.com/?kbid=3161664,***,Security Update,KB3161664,6/26/2016
    ***,http://support.microsoft.com/?kbid=3161949,***,Security Update,KB3161949,6/26/2016
    ***,http://support.microsoft.com/?kbid=3161951,***,Security Update,KB3161951,6/26/2016
    ***,http://support.microsoft.com/?kbid=3161958,***,Security Update,KB3161958,6/26/2016
    ***,http://support.microsoft.com/?kbid=3162343,***,Security Update,KB3162343,6/26/2016
    ***,http://support.microsoft.com/?kbid=3162835,***,Update,KB3162835,6/26/2016
    ***,http://support.microsoft.com/?kbid=3164033,***,Security Update,KB3164033,6/26/2016
    ***,http://support.microsoft.com/?kbid=3164035,***,Security Update,KB3164035,6/26/2016
    ***,http://support.microsoft.com/?kbid=3164294,***,Security Update,KB3164294,6/26/2016

    Our other DC is 2003 R2 and we only installed:

    Windows Malicious Software Removal Tool - March 2016 (KB890830)
    Windows Malicious Software Removal Tool - June 2016 (KB890830)

    The problem with GPO(s) not being applied happens with either domain controller.

    Monday, July 18, 2016 9:33 PM
  • Hi,

    Thanks for your post.

    In my opinion, the problem may be caused by installing the update MS16-072.

    I suggest you try to fix the problem with the following actions.

    1. Add the Authenticated Users group with Read Permissions on the Group Policy Object (GPO).
    2. If you are using security filtering, add the Domain Computers group with read permission.

    For more information, you could refer to the articles below.

    MS16-072: Security update for Group Policy: June 14, 2016

    https://support.microsoft.com/en-us/kb/3163622

    MS16-072 – Known Issue – Use PowerShell to Check GPOs

    https://blogs.technet.microsoft.com/poshchap/2016/06/16/ms16-072-known-issue-use-powershell-to-check-gpos/

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, July 19, 2016 7:48 AM
    Moderator
  • We found that, as of the update in question, not only did we have to give authenticated users "read" access to our GPs but we also had to abandon the use of individual user accounts in the Scope tab.  Instead we had to add those individual accounts to an AD *group* account and then reference that group in the Scope tab.

    Restated, Group Policy now seems to be strictly group oriented.  It ignores non-group accounts.






    Tuesday, July 19, 2016 2:47 PM
  • Thanks Jay, adding "Domain Computers" with "Read" on the Delegation tab resolved the issue. As you suspected all the GPOs in question had various group security filtering on the Scope and Authenticated Users did not have Read access.
    Tuesday, July 19, 2016 4:51 PM
  • Hi,

    I am glad to hear that your problem has been resolved.

    Please mark the reply as answer as it would be helpfull to anyone who encounters the similar problem.

    Thank you.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, July 19, 2016 10:54 PM
    Moderator