GPO Nightmare

mayberts · 2012-07-06T01:20:29.000Z

Hi all,

I have been having some problems with my group policies this week and I have no idea how to trouble shot this one.

I get the below error in the event log, event ID 1058, now the gpt.ini file in question does not exist and the folder {9CF5BDF2-5B54-4628-9C16-1426435B06EE} does not exist.

Has anyone seen this before?

The processing of Group Policy failed. Windows attempted to read the file \DOMAIN.LOCAL\SysVol\DOMAIN.LOCAL\Policies{9CF5BDF2-5B54-4628-9C16-1426435B06EE}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.

keithlawrence3 · 2012-07-06T01:40:21.000Z

Might be a replication issue between your DCs- if sysvol replication is not working correctly then the GPO will not replicate itself to your other DC. and appear to be missing on some.

Try running a gpresult on the client and see if it shows up anything out of the ordinary.

mayberts · 2012-07-06T01:46:16.000Z

this is the only thing that concerns me

The following GPOs were not applied because they were filtered out

Default Domain Policy
Filtering: Disabled (Link)

Local Group Policy
Filtering: Not Applied (Empty)

keithlawrence3 · 2012-07-06T01:56:24.000Z

Normally seeing "Default Domain Policy"gpo as disabled would set off alarm bells in my head, unless you have created a copy of the policy and have it under another name.

If you dont, you may need to re-enable it in the gpo management console. Bear in mind though, if it has been disabled for a reason, then turning it back on again may cause futher problems. Have a look at the content of the gpo first and make sure there is nothing unexpected in there.

Im not sure that will fix your original issue however but its worth getting it sorted nonetheless

mayberts · 2012-07-06T02:00:14.000Z

thanks, I have enabled the link, now I get this

The following GPOs were not applied because they were filtered out

Default Domain Policy
Filtering: Not Applied (Unknown Reason)

keithlawrence3 · 2012-07-06T02:19:37.000Z

What about your sysvol replication, is it working correctly?

A good tool for checking domain health is the (now defunct but still useful) It Environment Health Scanner - http://www.microsoft.com/en-us/download/details.aspx?id=10116

mayberts · 2012-07-06T03:02:14.000Z

I get this, the reset were skipped

Servers can be queried using DNS
Error: DNS query access failed for DNS server PRINTSERVER.DOMAIN.LOCAL

mayberts · 2012-07-06T04:13:20.000Z

Thanks Keith, that has help me solve a DNS issue, I still have a GPO issue and the SYSVOL is fine

File Replication and SYSVOL Administration Completed
The File Replication Service and the DFS Replication services are running
Completed
Domain controller replicates within the timeout threshold
Completed
Sufficient free space exists on the SYSVOL partition
Completed
Sufficient free space exists for the SYSVOL staging folder
Completed
Domain controllers do not have morphed folders
Completed
SYSVOL staging area has sufficient free space
Completed
SYSVOL local path can be read from the registry.
Completed

keithlawrence3 · 2012-07-06T04:31:23.000Z

Is this happening on all clients in your domain?

mayberts · 2012-07-06T06:13:51.000Z

yep, even on clean builds

keithlawrence3 · 2012-07-06T06:23:53.000Z

I think you need to get in someone with AD experience to help you with this. It could be caused by any number of issues and will take a fair bit of testing.

You could start running netdiag/dcdiag and repadmin to do further testing but im afraid I don’t have the time to help you pull apart the logs etc.

Worst case, you could restore the affected GPOs from your GPO backups and see if that makes any difference or worst worst case you could do a system state restore to a known good time.

But do seek experienced help with this if you aren’t sure.

Hope you get it sorted out.

mayberts · 2012-07-06T06:27:55.000Z

thanks for your help and advice Keith

mayberts · 2012-07-06T06:53:49.000Z

if I try and view the default domain policy settings I get this error

kyleeaston2668 · 2012-07-06T09:52:20.000Z

Does clicking OK resolve the issue? It’s supposed to automatically fix the ACLs.

I found this article, which does still apply to server 2008.

learn.microsoft.com

Errors when you run GPMC - Windows Server

Provides help to fix errors that occur when you run Group Policy Management Console (GPMC).

mayberts · 2012-07-09T01:43:05.000Z

NO, the error message just reappears, I have just found out how to restore the individual GPO’s and everything is working again

ivan16 · 2013-05-17T08:08:57.000Z

Would you share your solution ??

I have 10 GPO and all of them apply bud then I run gpupdate on every PC i get 1058

C:\Users\USER>gpupdate
Updating Policy…

User policy could not be updated successfully. The following errors were encount
ered:

The processing of Group Policy failed. Windows attempted to read the file \otp.
local\SysVol\otp.local\Policies{08579D74-45E4-4750-BB5C-D420AE57803C}\gpt.ini f
rom a domain controller and was not successful. Group Policy settings may not be
applied until this event is resolved. This issue may be transient and could be
caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller
has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.

Everything works fine (even this one gpo in the error)