none
June 2016 windows patch broke my GPO's

    Question

  • I deployed patches this month, and included the  KB 3159398 on my windows 7 workstations.

    some of which had a GPO set up to disable the Screensaver and disable lock screen, these pc's were lunchroom and control room pc's, the end users did not know their password for the generic account thas is logged in. 

    I have found a few articles describing the problem, and that it is "by design" so i have to find a solution. The suggested solution was to add authenticated users to read and apply policies. 

    unfortunately after 3 days of testing i have found that it is either not the right solution or the entire solution :(

    in my OU i have 2 GPO's 

    1) main one sets all the default settings, including a 600 second idle lock screen. 

    2) over rides the main policy and disables the screen saver to any member of a specific security group. this has worked for ears, and now no longer works

    when i run a GPupdate /force on an offending pc i get this error message 

    C:\Users\cr.pressfloor>gpupdate /force
    Updating Policy...

    User Policy update has completed successfully.
    Computer policy could not be updated successfully. The following errors were enc
    ountered:

    The processing of Group Policy failed. Windows attempted to read the file \\nora
    nda.NORINC.NET\sysvol\noranda.NORINC.NET\Policies\{F5D9DCCE-20CE-4082-825C-D5028
    97FFCB2}\gpt.ini from a domain controller and was not successful. Group Policy s
    ettings may not be applied until this event is resolved. This issue may be trans
    ient and could be caused by one or more of the following:
    a) Name Resolution/Network Connectivity to the current domain controller.
    b) File Replication Service Latency (a file created on another domain controller
     has not replicated to the current domain controller).
    c) The Distributed File System (DFS) client has been disabled.

    To diagnose the failure, review the event log or run GPRESULT /H GPReport.html f
    rom the command line to access information about Group Policy results.

    I am at a loss, if anyone has some suggestions as to how I can fix this problem, it would be greatly appreciated. 

    Tuesday, August 02, 2016 8:21 PM

Answers

  • Hi,

    Thanks for your post.

    Regarding the error message “The processing of Group Policy failed. Windows attempted to read the file \\noranda.NORINC.NET\sysvol\noranda.NORINC.NET\Policies\{F5D9DCCE-20CE-4082-825C-D502897FFCB2}\gpt.ini from a domain controller and was not successful.” In general, this problem is caused by one of the following:

    1. SYSVOL replication is broken and the GPO's contents in SYSVOL are not replicated to every DC.

    2. The GPO is truly corrupt in SYSVOL and missing one or more key files.

    3. The client can't resolve the DFS path to SYSVOL. I've seen this caused by disabling the "TCP/IP NetBIOS Helper" service, so I would check that.

    4. If it's per-computer policy that is generating this message, it could be a network stack timing issue as the machine starts up. You can tweak the client's policy at Computer Configuration\Admin Templates\System\Group Policy\Specify startup policy processing wait time.

    Also, just note, the Default Domain Policy can be "restored". Microsoft provides the DCGPOFix.exe tool (http://technet.microsoft.com/en-us/library/hh875588.aspx) that lets you reset the GPOs to their default settings, if these GPOs are truly corrupt. In the case of these tools, you would have to recreate any settings that you had in these GPOs.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, August 03, 2016 6:36 AM
    Moderator
  • > design" so i have to find a solution. The suggested solution was to add
    > authenticated users to read and apply policies.
     
    No - "read" only, not "apply".
     
    > /nda.NORINC.NET\sysvol\noranda.NORINC.NET\Policies\{F5D9DCCE-20CE-4082-825C-D5028/
    > /97FFCB2}\gpt.ini from a domain controller and was not successful.
     
    Fix the journal wrap error on your PDC emulator :-)
     
     
    Wednesday, August 03, 2016 2:15 PM

All replies

  • Hi,

    Thanks for your post.

    Regarding the error message “The processing of Group Policy failed. Windows attempted to read the file \\noranda.NORINC.NET\sysvol\noranda.NORINC.NET\Policies\{F5D9DCCE-20CE-4082-825C-D502897FFCB2}\gpt.ini from a domain controller and was not successful.” In general, this problem is caused by one of the following:

    1. SYSVOL replication is broken and the GPO's contents in SYSVOL are not replicated to every DC.

    2. The GPO is truly corrupt in SYSVOL and missing one or more key files.

    3. The client can't resolve the DFS path to SYSVOL. I've seen this caused by disabling the "TCP/IP NetBIOS Helper" service, so I would check that.

    4. If it's per-computer policy that is generating this message, it could be a network stack timing issue as the machine starts up. You can tweak the client's policy at Computer Configuration\Admin Templates\System\Group Policy\Specify startup policy processing wait time.

    Also, just note, the Default Domain Policy can be "restored". Microsoft provides the DCGPOFix.exe tool (http://technet.microsoft.com/en-us/library/hh875588.aspx) that lets you reset the GPOs to their default settings, if these GPOs are truly corrupt. In the case of these tools, you would have to recreate any settings that you had in these GPOs.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, August 03, 2016 6:36 AM
    Moderator
  • > design" so i have to find a solution. The suggested solution was to add
    > authenticated users to read and apply policies.
     
    No - "read" only, not "apply".
     
    > /nda.NORINC.NET\sysvol\noranda.NORINC.NET\Policies\{F5D9DCCE-20CE-4082-825C-D5028/
    > /97FFCB2}\gpt.ini from a domain controller and was not successful.
     
    Fix the journal wrap error on your PDC emulator :-)
     
     
    Wednesday, August 03, 2016 2:15 PM