none
"No settings defined": Missing GPO settings after edit

    Question

  • DFSR problem? xml locked an issue? Maybe. We have a lot of GPOs and it seems even the smaller ones we are editing lose their settings after being edited. Causing a lot of headaches.

    Symptoms:

    1. GPO is edited, or an edit is attempted, and get an "Access denied" error. We see open connections from clients in the middle of updating GP having the .xml under the GPO's GUID folder locked. We continue to attempt the edits until they take without error.

    2. About 5 minutes go by (standard timeframe for DC gpupdate)

    3. Come back to see the settings are COMPLETELY gone...not just our edits...everything! GPO GUID folder still exists

    4. Restoring the GPO from backup usually fixes the issue.

    More info:

    1. DFSR used for replication

    2. repadmin shows no errors

    3. DSSite manual replication works fine

    4. 300MB+ sysvol

    5. 5 child DCs total

    6. No errors found under the Application, System, or Group-Policy event logs


    • Edited by 98cwitr Wednesday, May 04, 2016 8:07 PM
    Wednesday, May 04, 2016 8:07 PM

Answers

  • Hi,

    It seems that the file is being used by another process. Maybe you need to restart the services for AD and others on these servers so all filelocks are released if that is the case. There are also third-party utilities to check. Check the DC which is PDC, this is the server in use when you edit gpo's.

    Besides, you could try the below setting:

    Open up gpedit.msc on the problematic server.

    User Configuration > Administrative Templates > System > Group Policy

    Change the following policy "Group Policy domain controller selection"

    Enable this and set it to use "Use any available domain controller"

    Close gpedit.msc and run gpupdate /force

    Try to deploy policy again.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, May 06, 2016 2:02 AM
    Moderator

All replies

  • Hi,

    Thanks for your post.

    When did this issue start to occur? Before the issue happened, did you do any modifications?

    Have you tried re-applying the permissions on the GUID folder?

    In order to narrow down the issue, please help collect the information below:

    To Collect PROCMON logs while getting access is denied:

    - Download Process Monitor from the following link on PDC Emulator: https://technet.microsoft.com/en-us/library/bb896645.aspx  

    - Open ProcMon accept license for installation then let it work

    - Re-produce this issue until you getting access is denied.

    - Save the ProcMon log and paste it in our forum for analysis.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, May 05, 2016 7:05 AM
    Moderator
  • Thanks for the reply. I'll run procmon and see what I can gather. Issue seemed to start about the time we switched from using ntfrs to dfsr. Today I traced the behavior watching replication within the GPO folders on each DC. Here's what it's doing

    1. dc1 - Access denied trying to change the GPO. A registry.tmp file appears in the GPO folder

    Access denied message I believe is directly due to the fact that we have a scheduled task deploying via the GPO, and users are pulling that .xml file from SYSVOL on that particular DC. We have 10,000 clients, so there's a lot fo traffic

    2. I switch to dc2 and attempt to change GPO with error. 

    3. registry.pol a few minutes later is deleted from SYSVOL on dc1, .tmp file remains.

    4. Replication sees this change, and then next thing you know registry.pol is deleted from all the other DCs!!

    If we wait for the .xml files to unlock the problem does not occur. 

    So my question now is, what do I do with an orphaned registry.tmp file?





    • Edited by 98cwitr Friday, May 06, 2016 3:09 PM
    Thursday, May 05, 2016 8:33 PM
  • Hi,

    It seems that the file is being used by another process. Maybe you need to restart the services for AD and others on these servers so all filelocks are released if that is the case. There are also third-party utilities to check. Check the DC which is PDC, this is the server in use when you edit gpo's.

    Besides, you could try the below setting:

    Open up gpedit.msc on the problematic server.

    User Configuration > Administrative Templates > System > Group Policy

    Change the following policy "Group Policy domain controller selection"

    Enable this and set it to use "Use any available domain controller"

    Close gpedit.msc and run gpupdate /force

    Try to deploy policy again.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, May 06, 2016 2:02 AM
    Moderator
  • FYI, dont try procmon on a production DC serving 10000+ clients. It goes south real quick ;)
    Friday, May 06, 2016 12:49 PM
  • Hi,

    Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, May 09, 2016 2:38 AM
    Moderator