none
Group Policy Failed to Apply to User

    Question

  • There were a Windows 2008 R2 AD server running in our environment.

    I found that when i log on to the Windows 2008 R2 member server in same domain by RDP, it take few minutes to load before my desktop could be loaded.

    After the check the event log, i found that the below event logged in event viewer.

    ======================================================================Log Name:      System
    Source:        Microsoft-Windows-GroupPolicy
    Date:          6/26/2012 10:47:41 AM
    Event ID:      1053
    Task Category: None
    Level:         Error
    Keywords:      
    User:          DEV\testuser
    Computer:      MMServer01.dev.org
    Description:
    The processing of Group Policy failed. Windows could not resolve the user name. This could be

    caused by one of more of the following:
    a) Name Resolution failure on the current domain controller.
    b) Active Directory Replication Latency (an account created on another domain controller has

    not replicated to the current domain controller).
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-GroupPolicy" Guid="{AEA1B4FA-97D1-45F2-A64C-

    4D69FFFD92C9}" />
        <EventID>1053</EventID>
        <Version>0</Version>
        <Level>2</Level>
        <Task>0</Task>
        <Opcode>1</Opcode>
        <Keywords>0x8000000000000000</Keywords>
        <TimeCreated SystemTime="2012-06-26T02:47:41.179958800Z" />
        <EventRecordID>7688</EventRecordID>
        <Correlation ActivityID="{94279898-7FC0-40A4-8BCB-8501B990030B}" />
        <Execution ProcessID="884" ThreadID="2668" />
        <Channel>System</Channel>
        <Computer>MMServer01.dev.org</Computer>
        <Security UserID="S-1-5-21-49650059-4034119095-1106440432-19082" />
      </System>
      <EventData>
        <Data Name="SupportInfo1">1</Data>
        <Data Name="SupportInfo2">1632</Data>
        <Data Name="ProcessingMode">1</Data>
        <Data Name="ProcessingTimeInMilliseconds">280546</Data>
        <Data Name="ErrorCode">1722</Data>
        <Data Name="ErrorDescription">The RPC server is unavailable. </Data>
      </EventData>
    </Event>

    ====================================================================

    I have try run the gpupdate to get similar error for apply user's group policy.

    The firewall have allow the TCP 135 connection from MMServer01 to AD server in the domain.

    So, i would like to know if there were any way could fix this problem.

    Thanks for any suggestion.

    B. rgds,

    Jordan

    Tuesday, June 26, 2012 9:17 AM

Answers

  • Edit: It seems I missed the last few lines you wrote. If you have only opened port 135 between the server and your internal network, you will be having issues. You need to allow your server to allow the follow ports on a DC:

    UDP 88 - Kerberos Authentication

    UDP and TCP 135 - Client to domain controller operations (RPC)

    UDP 389 - LDAP queries

    TCP and UDP 464 - Kerberos Password Change

    TCP 3268 and 3269 - Global Catalog client to domain controller

    TCP and UDP 53 - DNS (assuming your DC is also acting as DNS, otherwise you need to open to your DNS server and point to it).

     

    It seems like that the GPO isn't being applied because of DNS or AD replication issues.

     

    I can't help you with those issues with the current info, but let's start off by confirming the issue. Go to the domain controller where the GPO was made. Make sure you can see the GPO in Group Policy Management. 

    Go to your terminal server and run "gpresult /r" in cmd. Take a note of the DC listen under "Group Policy was applied from:", as you will need it in the next step.

    Go back to Group Policy Management, and right click your domain in the management console. Click "Change Domain Controller", and choose the DC from the previous step. Check if the GPO exists in the Group Policy Management console now. If it does not, you have a replication issue.

    If you don't know which GPO it is that is causing the issue, you can go to a DC which you know is working correctly and look through your GPOs to see which one has the GUID listed. This can be done by expanding "Group Policy Objects" in Group Policy Management and going through them 1 by 1.


    Tuesday, June 26, 2012 10:57 AM
  • Hi,

    I agree with Behzad, he has provided the useful suggestions on troubleshooting the issue.

    Based on your description, the issue could be caused by the blocked ports. At this time, I suggest we try to run Portqry tool to verify the ports between the member server and the DC. We could try to enable the needed ports for connection to see if it works. Also please try to check the configuration of the firewall or try to temporarily disable it to verify the Group Policy preprocessing.

    For details, please refer to the following articles.

    Event ID 1053 — Group Policy Preprocessing (Security)

    http://technet.microsoft.com/en-us/library/cc727337(v=WS.10).aspx

    Description of the Portqry.exe command-line utility

    http://support.microsoft.com/kb/310099

    How to use Portqry to troubleshoot Active Directory connectivity issues

    http://support.microsoft.com/kb/816103

    How to configure a firewall for domains and trusts

    http://support.microsoft.com/kb/179442

    Regards,

    Andy

    Wednesday, June 27, 2012 5:15 AM
    Moderator
  • Hi All,

       Thanks for all your suggestions.

       I think that i have found the root cause is that RPC random ports are blocked on MMServer01 side. After open those ports on firewall side for MMServer01 when logon to the MMServer01 with RDP, the same error did not logged again in event viewer.

       Thanks for all your help so far.

    B.rgds,

    Jordan

    • Marked as answer by Jordan023 Wednesday, June 27, 2012 8:17 AM
    Wednesday, June 27, 2012 8:17 AM

All replies

  • Edit: It seems I missed the last few lines you wrote. If you have only opened port 135 between the server and your internal network, you will be having issues. You need to allow your server to allow the follow ports on a DC:

    UDP 88 - Kerberos Authentication

    UDP and TCP 135 - Client to domain controller operations (RPC)

    UDP 389 - LDAP queries

    TCP and UDP 464 - Kerberos Password Change

    TCP 3268 and 3269 - Global Catalog client to domain controller

    TCP and UDP 53 - DNS (assuming your DC is also acting as DNS, otherwise you need to open to your DNS server and point to it).

     

    It seems like that the GPO isn't being applied because of DNS or AD replication issues.

     

    I can't help you with those issues with the current info, but let's start off by confirming the issue. Go to the domain controller where the GPO was made. Make sure you can see the GPO in Group Policy Management. 

    Go to your terminal server and run "gpresult /r" in cmd. Take a note of the DC listen under "Group Policy was applied from:", as you will need it in the next step.

    Go back to Group Policy Management, and right click your domain in the management console. Click "Change Domain Controller", and choose the DC from the previous step. Check if the GPO exists in the Group Policy Management console now. If it does not, you have a replication issue.

    If you don't know which GPO it is that is causing the issue, you can go to a DC which you know is working correctly and look through your GPOs to see which one has the GUID listed. This can be done by expanding "Group Policy Objects" in Group Policy Management and going through them 1 by 1.


    Tuesday, June 26, 2012 10:57 AM
  • Hi,

    I agree with Behzad, he has provided the useful suggestions on troubleshooting the issue.

    Based on your description, the issue could be caused by the blocked ports. At this time, I suggest we try to run Portqry tool to verify the ports between the member server and the DC. We could try to enable the needed ports for connection to see if it works. Also please try to check the configuration of the firewall or try to temporarily disable it to verify the Group Policy preprocessing.

    For details, please refer to the following articles.

    Event ID 1053 — Group Policy Preprocessing (Security)

    http://technet.microsoft.com/en-us/library/cc727337(v=WS.10).aspx

    Description of the Portqry.exe command-line utility

    http://support.microsoft.com/kb/310099

    How to use Portqry to troubleshoot Active Directory connectivity issues

    http://support.microsoft.com/kb/816103

    How to configure a firewall for domains and trusts

    http://support.microsoft.com/kb/179442

    Regards,

    Andy

    Wednesday, June 27, 2012 5:15 AM
    Moderator
  • Hi All,

       Thanks for all your suggestions.

       I think that i have found the root cause is that RPC random ports are blocked on MMServer01 side. After open those ports on firewall side for MMServer01 when logon to the MMServer01 with RDP, the same error did not logged again in event viewer.

       Thanks for all your help so far.

    B.rgds,

    Jordan

    • Marked as answer by Jordan023 Wednesday, June 27, 2012 8:17 AM
    Wednesday, June 27, 2012 8:17 AM
  • Hi,

    I’m glad to hear that the issue has been resolved. And thanks for sharing your solution to the issue. If there is anything that I can do for you, please do not hesitate to let me know, and I will be happy to help.

    Regards,

    Andy

    Thursday, June 28, 2012 1:52 AM
    Moderator
  • Sometimes here at our domain, GP stops working because of false temp accounts for instance:

    your domain is bob.com

    people logging in as bob\Username instead of just bob on a computer that is already on the domain...

    this works for me, alot when GPUPDATE fails

    Tuesday, October 22, 2013 7:00 PM