none
GPP won't apply (0x80070002 - System cannot find the file specified)

    Question

  • Hello.

    We've just migrated from WS2008R2 RDS to WS2012R2 RDS. We have a GPO preference item that specify Internet Explorer settings (via the Internet Settings GPP) - User portion of the GPO.

    The problem is that these Internet settings won't apply for users on the new RDS server.

    I've enabled tracing and this is logged every time the GPO refreshes or when I do a gpupdate:

    2015-05-15 14:26:54.629 [pid=0x2700,tid=0x42b0] Entering ProcessGroupPolicyExInternet()
    2015-05-15 14:26:54.630 [pid=0x2700,tid=0x42b0] SOFTWARE\Policies\Microsoft\Windows\Group Policy\{E47248BA-94CC-49c4-BBB5-9EB7F05183D0}
    2015-05-15 14:26:54.631 [pid=0x2700,tid=0x42b0] BackgroundPriorityLevel ( 7 )
    2015-05-15 14:26:54.631 [pid=0x2700,tid=0x42b0] DisableRSoP ( 0 )
    2015-05-15 14:26:54.631 [pid=0x2700,tid=0x42b0] LogLevel ( 2 )
    2015-05-15 14:26:54.631 [pid=0x2700,tid=0x42b0] Command subsystem initialized. [SUCCEEDED(S_FALSE)]
    2015-05-15 14:26:54.655 [pid=0x2700,tid=0x42b0] Variables subsystem initialized. [ hr = 0x80070002 "System cannot find the file specified." ]
    2015-05-15 14:26:54.657 [pid=0x2700,tid=0x42b0] Leaving ProcessGroupPolicyExInternet() returned 0x00000002

    The GPO GUID listed here is one that specifies (enables) the GPO tracing, not the GPO that configures the Internet settings.

    We've configured the GPP item with "Run in logged-on user's security context (user policy option)" option. I've also tried using it with this option unchecked (which doesn't make sense to me since it runs under the SYSTEM account then) and that didn't work either (obviously in my oppinion, just wanted to double check everything).

    The interesting bit is that the GPP applies to users (same ones) logging to the old 2008R2 RDS just fine, it's just failing on the new RDS.

    I thought this might be some permissions problem, so here's what I've tried (for completeness sake):

     - modified the GPO permissions (Delegation tab in GPMC) to explicitly add the computer account (Read permissions) - didn't change anything (as it shouldn't, since Authenticated Users are already included)

     - checked that both the SYSTEM account and the regular user that logs on can see, browse and read all files from the GPO in the SYSVOL folder (via \\domain.fqdn\SYSVOL\Policies\<GPO_GUID>)

     - created new GPO with the same GPP Internet settings configuration, that applies only to the new RDSH server, didn't help

    The same problem occurs for other GPP items like shortcuts or registry items. The problem doesn't occur for a domain admin account. This would indicate a permission problem somewhere, however the logging isn't too VERBOSE since it doesn't even say WHAT file it cannot access.

    Any help is appreciated.

    Friday, May 15, 2015 1:05 PM

All replies

  • > SOFTWARE\Policies\Microsoft\Windows\Group
    > Policy\{E47248BA-94CC-49c4-BBB5-9EB7F05183D0}
     
    > The GPO GUID listed here is one that specifies (enables) the GPO
    > tracing, not the GPO that configures the Internet settings.
     
    No. The GUID listet here is the CSE GUID for Internet Settings.
     
    Did you check sysvol replication health? (FRS/DFSR event logs)
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Friday, May 15, 2015 2:28 PM
  • Sysvol rep. health is fine.

    Any other ideas?

    Sunday, May 17, 2015 11:06 AM
  • Hi,

    >>The problem is that these Internet settings won't apply for users on the new RDS server

    What specific settings did we configure via Internet Settings extension?  Here, after logging on with an affected user account, we can run command gpresult/h report.html on both WS2008R2 RDS and WS2012R2 RDS and compare the reports generated by the command to see if we can find something related. If necessary, you may upload the reports to OneDrive and provide us the download link.

    Best regards,
    Frank Shen


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, May 18, 2015 8:42 AM
    Moderator
  • I can list the settings applied, but I think it has little relevance. You may have overlooked it, but the same problem occurs if I use GPP shortcuts or registry settings, so the problem is most likely elsewhere than in the Internet settings themselves. If it's really necessary, I can post/upload the XML file (with any private info removed). To summarize, it configures: home page tabs and modifies security options of the zones (internet, intranet etc.).

    I can do a gpresult for an user on both servers, but the results will be different, since there's a different set of GPOs applied to both servers. And since the Internet settings are failing on the 2012R2 server, they obviously don't show in gpresult.

    Also as I've already stated, the same problem occurs when I create brand new GPO with the same Internet settings GPP that applies to the users only on the 2012R2 server (therefore ruling out the original GPO that applied to both servers as the culprit).


    • Edited by MarkosP Monday, May 18, 2015 9:20 AM
    Monday, May 18, 2015 9:15 AM