none
Group policy failing only on one system

    Question

  • I updated a firewall related GPO on a few servers and noticed the port wasn't configured on one of the servers even after rebooting.  I checked the other servers and the new settings were applied successfully.

    There error message is pointing towards there being a replication error on a domain controller, but that makes no sense because only one system has this issue and they are all identical Server 2012 R2 Hyper-V machines on a Server 2008 AD domain.

    There is network connectivity because I can log in with a new domain user profile and ping all of the domain controllers.

    When I try to do gpupdate /force it fails on this server.  When I run the same command on other servers, the gpupdate completes successfully. 

    I logged into a domain controller and verified that I could connect to all the other domain controllers and that was successful.

    This makes me think the problem is on the client server and not any of the domain controllers, however this is what the error from gpupdate /force command says:

    The processing of Group Policy failed. Windows attempted to read the file \\domainname.com\SysVol\domainname.com\Policies\{XXXXXXXX-XXXX-XXXX}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:

    a) Name Resolution/Network Connectivity to the current domain controller.

    b) File Replication Service Latency (a file created on another domain controller

    has not replicated to the current domain controller).

    c) The Distributed File System (DFS) client has been disabled.

    User Policy update has completed successfully.

    ==================================================================

    I don't see any DFS client on the server (we are not using DFS anyway).

    It is saying it cannot read policies on a domain controller, however every other system I checked seems to have no problem reading the same policies.

    What could cause this problem on a single server?






    • Edited by MyGposts Saturday, September 12, 2015 3:36 AM
    Saturday, September 12, 2015 3:32 AM

All replies

  • Hi MyGposts,

    Thanks for your post.

    In general, this problem is caused by one of the following:

    1. SYSVOL replication is broken and the GPO's contents in SYSVOL are not replicated to every DC

    2. The GPO is truly corrupt in SYSVOL and missing one or more key files

    3. The client can't resolve the DFS path to SYSVOL. I've seen this caused by disabling the "TCP/IP NetBIOS Helper" service, so you would check  about that.

    You could check Details tab of the error message. The error description fields further identify the reason for the failure.

    Please also read the articles for more details.

    https://technet.microsoft.com/en-us/library/cc727259(v=ws.10).aspx

    Best Regards,

    Mary Dong


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, September 14, 2015 3:10 AM
    Moderator
  • I checked tcp/ip helper service and it is running.

    I ran the AD replication status tool and all domain controller's last sync status is "The operation completed successfully."

    As far as corrupted GPO, that doesn't seem to be the case since this issue seems to only affect a single system on the domain.

    This is the most I can see in logs.

    Computer>server12.domain.com</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='OperationElaspedTimeInMilliSeconds'>0</Data><Data Name='ErrorCode'>5</Data><Data Name='OperationDescription'>%%4132</Data><Data Name='Parameter'>\\domain.com\SysVol\domain.com\Policies\{438002B6-92E1-4A5D-8E54-31FE053C1558}\gpt.ini</Data></EventData></Event> 7017 The system calls to access specified file completed. \\domain.com\SysVol\domain.com\Policies\{438002B6-92E1-4A5D-8E54-31FE053C1558}\gpt.ini The call failed after 0 milliseconds. 9/10/2015 3:22:28 PM 2 <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-GroupPolicy' Guid='{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}'/><EventID>7257</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x4000000000000000</Keywords><TimeCreated SystemTime='2015-09-10T22:22:28.038661000Z'/><EventRecordID>18229</EventRecordID><Correlation ActivityID='{8D656220-D928-4610-AF35-5844940466E9}'/><Execution ProcessID='800' ThreadID='1508'/><Channel>Microsoft-Windows-GroupPolicy/Operational</Channel><Computer>server12.domain.com</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='IsMachine'>true</Data><Data Name='ErrorCode'>5</Data><Data Name='PolicyDownloadTimeElapsedInMilliseconds'>328</Data></EventData></Event> 7257 Downloaded policies with error. 9/10/2015 3:22:28 PM 4 <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-GroupPolicy' Guid='{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}'/><EventID>5126</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x4000000000000000</Keywords><TimeCreated SystemTime='2015-09-10T22:22:28.038661000Z'/><EventRecordID>18230</EventRecordID><Correlation ActivityID='{8D656220-D928-4610-AF35-5844940466E9}'/>

    The details on a system even log error 1056 says "access denied" to the gpt.ini file location.

    However, that does not explain why access would be denied.  Nobody edited any file paths to deny access to this system.

    Monday, September 14, 2015 3:49 AM