none
Group Policy Cert Issue

    Question

  • Hi All!

    We have a strange issue with Group Policy.

    In one of our domain GPO we are installing some Certificates to Trusted Root Certifications Authority of domain computers. But we have a few problem computers, where that GPO does not apply, and Certificate not installed in right place, and users get errors.

    We found a workaround - delete Registry.pol file in c:\windows\system32\GroupPolicy\Machine\ and reboot. After that GPO works well.

    And Registry.pol is blank (empty) with size 166 bytes.

    On every problem computer in System Log we see error with Event ID 1096

    The processing of Group Policy failed. Windows could not apply the registry-based policy settings for the Group Policy object LocalGPO. Group Policy settings will not be resolved until this event is resolved. View the event details for more information on the file name and path that caused the failure.

    We want to know reason of that issue to fix it.

    Thanks!


    • Edited by Anton Karlan Tuesday, May 26, 2015 1:28 PM Add some info
    Tuesday, May 26, 2015 12:46 PM

Answers

  • > So, let 's assume that AV is corrupting *Registry.pol *BUT why users
    > gets Certificate errors? Why certificates, that was installed with GPO
    > dissapearing when Registry.pol corrupted? That is the main question and
    > problem.
     
    If registry processing fails with one GPO (one corrupt registry.pol
    file), it will stop processing, because things can go wrong if it
    continues anyway.
     
    And since the local GPO is the first GPO that gets processed, all Domain
    GPOs aren't applied anymore.
     
    That said first, here comes the answer to your question: Certs are also
    stored in registry.pol files in your Domain GPOs. And on your clients,
    they are processed by the same engine that processes ADM templates. This
    engine works as follows:
     
    1. Delete all registry keys/values from the last run.
    2. Write all registry keys/values for GPO number one.
    3. Write all registry keys/values for GPO number two.
    4. ...and so on.
     
    Step 1 removes your cert. Step 2 is aborted because of a broken
    registry.pol file. Step 3 and further are skipped.
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    • Marked as answer by Anton Karlan Thursday, May 28, 2015 11:05 AM
    Wednesday, May 27, 2015 1:32 PM

All replies

  • > We found a workaround - *delete Registry.pol *file in
     
    > registry-based policy settings for the Group Policy object LocalGPO.
     
    This settings are contained in the above registry.pol file. If this file
    is damaged, GPO processing will fail. Do you have AV software? Does this
    software have excludes for registry.pol?
     
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Tuesday, May 26, 2015 2:18 PM
  • > We found a workaround - *delete Registry.pol *file in
     
    > registry-based policy settings for the Group Policy object LocalGPO.
     
    This settings are contained in the above registry.pol file. If this file
    is damaged, GPO processing will fail. Do you have AV software? Does this
    software have excludes for registry.pol?Thanks for quick reply!

    Yes, we have AV software and also device locking software. And I agree with you it can be a reason of issue.

    So, let 's assume that AV is corrupting Registry.pol BUT why users gets Certificate errors? Why certificates, that was installed with GPO dissapearing when Registry.pol corrupted? That is the main question and problem.

    Wednesday, May 27, 2015 9:39 AM
  • > So, let 's assume that AV is corrupting *Registry.pol *BUT why users
    > gets Certificate errors? Why certificates, that was installed with GPO
    > dissapearing when Registry.pol corrupted? That is the main question and
    > problem.
     
    If registry processing fails with one GPO (one corrupt registry.pol
    file), it will stop processing, because things can go wrong if it
    continues anyway.
     
    And since the local GPO is the first GPO that gets processed, all Domain
    GPOs aren't applied anymore.
     
    That said first, here comes the answer to your question: Certs are also
    stored in registry.pol files in your Domain GPOs. And on your clients,
    they are processed by the same engine that processes ADM templates. This
    engine works as follows:
     
    1. Delete all registry keys/values from the last run.
    2. Write all registry keys/values for GPO number one.
    3. Write all registry keys/values for GPO number two.
    4. ...and so on.
     
    Step 1 removes your cert. Step 2 is aborted because of a broken
    registry.pol file. Step 3 and further are skipped.
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    • Marked as answer by Anton Karlan Thursday, May 28, 2015 11:05 AM
    Wednesday, May 27, 2015 1:32 PM