locked
Sysvol permissions for one or more GPO are not in sync RRS feed

  • Question

  • We have 8 domain controllers. 6 are 2008 R2 and 2 are Server 2016.  On the status tab of every GPO on both Server 2016 servers states:

    The SYSVOL permissions of one or more GPO's on this domain controller are not in sync with the permissions for the GPO's on the Baseline domain controller.

    However when you compare the ACL's of each GPO they are identical on every server.

    If you create a new GPO it still has this error.

    So far we have applied software updates to both Server 2016 servers and rebooted them.  We have migrated our SYSVOL replication from FRS to DFSR. 

    I am not sure what else to look at.

    Friday, January 11, 2019 4:22 PM

Answers

  • We opened a ticket with Microsoft and they solved it.

    Server 2008 and prior domain controllers create two Domain Admin accounts with permissions on the GPOs.  We could not see both in the GUI but when we ran icacls {GPO UID} on the Server 2008 domain controller you see both Domain Admin accounts.

    Server 2012 and newer domain controllers only create a single Domain Admin account with access.  In the 2018.6C (June 21 Rollup, links below) patch for 2016 and 2012R2, a new function was introduced to remove duplicate ACEs in order to reduce the NTFS Security Descriptor stream size. Machines with this patch will no longer write that duplicate ACE, thereby making them inconsistent with the unpatched ones.

    To fix we logged into the Server 2008 domain controller and ran the following command against all the GPOs to remove both domain admin account

    icacls "{GPO UID}" /remove:g "<localdomain>\Domain Admins"

    Then the following command to add a single Domain Admin account back to the GPO

    icacls "{GPO UID}" /grant "<localdomain>\Domain Admins":(OI)(CI)(F)

    We then we forced replication again with these two commands

    repadmin /syncall

    repadmin /syncall /AdePq

    After that we re-ran the Detect Now on the server 2016 and all servers were green.

    IMPORTANT NOTE:

    If you create a new policy on Server 2008 it will get the second domain admin account again.  So to prevent it from happening going forward you should create the GPOs on Server 2016.

    • Marked as answer by Daniel Kaliel Wednesday, January 16, 2019 9:58 PM
    Wednesday, January 16, 2019 9:58 PM

All replies

  • Hi Daniel,

    you might want to give this one a try

    https://social.technet.microsoft.com/Forums/ie/en-US/1a5db5cb-f194-40b5-8545-37ccbac300e1/windows-server-2012-gpos-wont-sync?forum=winserverGP

    hth
    Marcin

    Friday, January 11, 2019 8:11 PM
  • Hi,

    Can you tell us which error you get? we need more details about your problem.


    Please don't forget to mark the correct answer, to help others who have the same issue. Thameur BOURBITA MCSE | MCSA My Blog : http://bourbitathameur.blogspot.fr/

    Friday, January 11, 2019 9:34 PM
  • You will need to check on the failures and what could the errors be. Please use dcdiag and repadmin commands on your domain controllers to check on your DCs health and replication status.

    As well, the following provided basic troubleshooting steps that can help you: https://social.technet.microsoft.com/wiki/contents/articles/18513.active-directory-replication-issues-basic-troubleshooting-steps-single-ad-domain-in-a-single-ad-forest.aspx


    This posting is provided AS IS with no warranties or guarantees , and confers no rights.

    Ahmed MALEK

    My Website Link

    My Linkedin Profile

    My MVP Profile

    Sunday, January 13, 2019 1:39 AM
  • Hello,

    Try to check if AD replication and SYSVOL replication are good on all the domain controllers.


    Check the DFSR(SYSVOL) replication status command:

    Wmic /namespace:\\root\microsoftdfs path dfsrreplicatedfolderinfo get replicationgroupname,replicatedfoldername,state

    Check AD replication status commands:
    repadmin /showrepl 

    Dcdiag


    If all the above is OK. This may occur when a GPO has changed on the local computer but a replication event has not completed to the other participating Domain Controllers. We can try to wait for 15-20 minutes or more and refresh the GPMC, and then view if the error disappears. I am looking forward to your reply.

    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Monday, January 14, 2019 4:22 AM
  • Everything comes up with no errors.  The GPOs replicate and permissions appear correct but we get that error on all GPOs and new ones do not get applied on the clients.
    Tuesday, January 15, 2019 3:28 AM
  • We have waited a couple weeks.  Everything appears fine, GPOs replicate and the permissions appear correct when inspected.  BUT, we get that message in GPMC after clicking Detect Now on Server 2016 and any new GPOs do not get applied on the clients.  They do not appear on the Allowed or Denied lists in the GPResult results on the clients.
    Tuesday, January 15, 2019 3:30 AM
  • The SYSVOL permissions of one or more GPO's on this domain controller are not in sync with the permissions for the GPO's on the Baseline domain controller.
    Tuesday, January 15, 2019 3:31 AM
  • Hi,

    According to my research, here is a similar case posted on August 16th, 2018: 
    Server 2016: Is the sysvol sync bug in July showing up in August?

    It may be we do not install all the updates on server 2016, then the error message occurs. Once all of those updates completed the problem should be resolved, for details we can refer to the above discussion.

    We can check all the updates we have installed with PowerShell command get-hotfix .

    We check if there is any update we have not installed yet in the following article .
    http://www.catalog.update.microsoft.com/Search.aspx?q=kb4343887


    If it does not work, please provide the following information:

    1. Are all 8 domain controllers (6 are 2008 R2 and 2 are Server 2016) in the same domain?

    2. According to "BUT, we get that message in GPMC after clicking Detect Now on Server 2016 and any new GPOs do not get applied on the clients", do we mean if we create any new GPO on server 2016, any new GPO can not be applied on the client?

    3. Or if we create a new GPO on 2008 R2, can this GPO be applied on the clients?


    Tip: This answer contains the content of a third-party website. Microsoft makes no representations about the content of these websites. We provide this content only for your convenience.

    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, January 15, 2019 9:30 AM
  • We opened a ticket with Microsoft and they solved it.

    Server 2008 and prior domain controllers create two Domain Admin accounts with permissions on the GPOs.  We could not see both in the GUI but when we ran icacls {GPO UID} on the Server 2008 domain controller you see both Domain Admin accounts.

    Server 2012 and newer domain controllers only create a single Domain Admin account with access.  In the 2018.6C (June 21 Rollup, links below) patch for 2016 and 2012R2, a new function was introduced to remove duplicate ACEs in order to reduce the NTFS Security Descriptor stream size. Machines with this patch will no longer write that duplicate ACE, thereby making them inconsistent with the unpatched ones.

    To fix we logged into the Server 2008 domain controller and ran the following command against all the GPOs to remove both domain admin account

    icacls "{GPO UID}" /remove:g "<localdomain>\Domain Admins"

    Then the following command to add a single Domain Admin account back to the GPO

    icacls "{GPO UID}" /grant "<localdomain>\Domain Admins":(OI)(CI)(F)

    We then we forced replication again with these two commands

    repadmin /syncall

    repadmin /syncall /AdePq

    After that we re-ran the Detect Now on the server 2016 and all servers were green.

    IMPORTANT NOTE:

    If you create a new policy on Server 2008 it will get the second domain admin account again.  So to prevent it from happening going forward you should create the GPOs on Server 2016.

    • Marked as answer by Daniel Kaliel Wednesday, January 16, 2019 9:58 PM
    Wednesday, January 16, 2019 9:58 PM
  • Hi,
    Thank you for your update and sharing. I’m very glad that the problem has been solved.
     
    Thanks for your time and have a nice day!
     
    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, January 17, 2019 1:12 AM
  • Hi Daniel,

    Just wanted to say a big thanks for posting this! Cleared up the same issues for us as well. For the record, we no longer had 2008 DCs but most of our policies were created on 2008 DCs and these dual Domain Admin permissions entries remained on our 2012 R2 DCs. It wasn't until we added a 2016 DC that we started seeing the ACL out of sync errors.

    Anyway, thanks again!

    Jacob

    Thursday, March 28, 2019 6:35 PM
  • Thanks, this helped me on a 2012 DC when we added a new 2019 Server Core DC.  For the record the syntax is a bit wrong:

    icacls "{GPO UID}" /grant "<localdomain>\Domain Admins":(OI)(CI)(F)

    should be

    icacls "{GPO UID}" /grant "<localdomain>\Domain Admins:(OI)(CI)(F)"

    Saturday, July 6, 2019 4:57 PM
  • Hi Daniel,

    Really appreciate you sharing this as was exactly my issue, but in my case, all the GPO's were affected so created a simple PowerShell script that made the process painless and thought it may worth sharing as can be run at a later date to catch any others still created on 2008.

    $Policies = Get-ChildItem C:\Windows\SYSVOL\domain\Policies -Name -Filter "{*}"
    
    foreach ($Policy in $Policies) {
        icacls "C:\Windows\SYSVOL\domain\Policies\$policy" /remove:g "<DomainName>\Domain Admins"
        icacls "C:\Windows\SYSVOL\domain\Policies\$policy" /grant "<DomainName>\Domain Admins:(OI)(CI)(F)"
        icacls "C:\Windows\SYSVOL\domain\Policies\$policy"
        }
    Thanks again :)

    Tuesday, December 17, 2019 10:23 AM
  • We opened a ticket with Microsoft and they solved it.

    Server 2008 and prior domain controllers create two Domain Admin accounts with permissions on the GPOs.  We could not see both in the GUI but when we ran icacls {GPO UID} on the Server 2008 domain controller you see both Domain Admin accounts.

    Server 2012 and newer domain controllers only create a single Domain Admin account with access.  In the 2018.6C (June 21 Rollup, links below) patch for 2016 and 2012R2, a new function was introduced to remove duplicate ACEs in order to reduce the NTFS Security Descriptor stream size. Machines with this patch will no longer write that duplicate ACE, thereby making them inconsistent with the unpatched ones.

    To fix we logged into the Server 2008 domain controller and ran the following command against all the GPOs to remove both domain admin account

    icacls "{GPO UID}" /remove:g "<localdomain>\Domain Admins"

    Then the following command to add a single Domain Admin account back to the GPO

    icacls "{GPO UID}" /grant "<localdomain>\Domain Admins":(OI)(CI)(F)

    We then we forced replication again with these two commands

    repadmin /syncall

    repadmin /syncall /AdePq

    After that we re-ran the Detect Now on the server 2016 and all servers were green.

    IMPORTANT NOTE:

    If you create a new policy on Server 2008 it will get the second domain admin account again.  So to prevent it from happening going forward you should create the GPOs on Server 2016.

    Hi Daniel

    Did you ran the two icacls commands both on the 2008 server?

    I am asking, bcause i have the exact same problem after demoting 2 old Windows Server 2008 DCs.

    Now i have 1 DC 2008 R2 and two new DCs with 2019.

    After executing the commands on the 2008 R2 DC on one TEST-GPO and force replication, one of the 2019 DCs is good, the other is still haveing permission issues on this GPO.

    Do i have to run the replication force on the new DCs?

    Will make some test with another unused GPO, because i tried the command on the TEST-GPO on the still failing DC 2019 before, maybe i had maken a mistake by doing so...

    Thanks in advance

    Holger

    Edit:

    I still have two problems.

    After doing so (thanks at JShand for the script) the permissions sync problems on most of the GPOs were gone, but there are still some og^f them stuck.

    The difference is not really obvious.

    I have still 5 GPOs with SysVol permissions out of sync under "Active Directory". These are "normal" user created GPOs, which have been created long ago on one of the old 2008 DCs (not R2) and 2 GPOs still under "SysVol", which are the "Default Domain Controller Policy" and "Default Domain Policy", also created long ago on the demoted 2008 (non-R2) DCs.

    Maybe the problem is, that did not yet leverage the Forest and Domain Level to et least 2008 R2, because first of all i wanted to get rid of these sync problems.

    Had someone else too had this problem before?

    I will try some more things and keep this thread updates.

    Edit2:

    I managed to solve the SysVol ACL errors on the Defult Domain Cotroller Policy and the Defult Domain Policy by removeing and readding the "Authenticated Users" to the Security Filtering in the Scope pane.

    Still having the Active Directory ACL errors for the 5 non-default GPOs

    Last Edit - promised ;o))):

    Now i also managed to solve this by editing the Security settings on the "Authenticated Users" on these GPOs. Had to remove the "Apply group policy" check mark in the advanced settings of the Delegation pane for this group.

    Hope now there will be no other issue...

    Cheers

    Holger

    Friday, January 17, 2020 7:48 AM
  • This works perfectly with server 2019 too if anyone looks this up

    we had MANY GPOs to edit...:(

    Somehow the permissions had filtered from the original 2008 R2 setup through 2012 R2 to 2019 and ultimately this error popped up

    Once again horrible legacy mess!

    Monday, January 20, 2020 4:25 PM
  • Ran into this problem this week and the icacls commands were critical. Thank you!

    We still have 2012 (non-R2) DCs. Is there a patch to remove the duplicate Domain Admins group ACEs or is the patch only for 2012R2? I couldn't find a proper link in this thread. 

    2018.6C (June 21 Rollup)

    Thursday, February 13, 2020 11:00 AM