Forum Discussion
GPO processing fails
Okay, great. Since event 5308 is referring to uztassrv01.sm.local, we'll shift away from names and onto content.
Can I ask you to copy-and-paste the UNC text from the details in event 1058 in here? I'm old and typing out GUIDs just results in me making lots of mistakes.
What I'm talking about is the text starting with "\\sm.local" and ending with "gpt.ini"
Having the text will make it easier for me to provide you with useful PowerShell commands to run.
Cheers,
Lain
Please find:
\\sm.local\SysVol\sm.local\Policies\{D6735583-A7D1-4988-83C3-75D788D95E7B}\gpt.ini
I can't see any issues with that at all - it's looks perfectly fine on both the SYSVOL (i.e. the files) and Active Directory sides.
Are there any other errors on the clients? Such as from the System node in Event Viewer? Anything related to NETLOGON, perhaps?
At this stage, it seems more likely that the GPO is only a symptom from something else going wrong, not something being wrong with group policy itself.
I'm assuming that if you use "gpupdate /force" to trigger the error that you can indeed ping uztassrv01.sm.local? There's not actually some sort of connectivity interruption going on?
If you do trigger the error again using "gpupdate /force", here's two more information-gathering commands you can then run on the client from PowerShell straight afterwards.
[System.DirectoryServices.ActiveDirectory.ActiveDirectorySite]::GetComputerSite() | fl Servers, InterSiteTopologyGenerator; dfsutil /pktinfoI don't think they will tell us anything new but it can't hurt to check.
What we want to see from these commands is that the only server references shown are for uztassrv01.sm.local (at least in the context of SYSVOL references). If any show up for uztassrv02.sm.local then we still have some kind of reference hanging around that we need to find and remove.
Cheers,
Lain
here is the outcome:
[General] Version=4 displayName=New Group Policy Object AccessControlType : Allow IdentityReference : SM\Domain Admins FileSystemRights : FullControl AccessControlType : Allow IdentityReference : SM\Enterprise Admins FileSystemRights : FullControl AccessControlType : Allow IdentityReference : NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS FileSystemRights : ReadAndExecute, Synchronize AccessControlType : Allow IdentityReference : NT AUTHORITY\Authenticated Users FileSystemRights : ReadAndExecute, Synchronize AccessControlType : Allow IdentityReference : NT AUTHORITY\SYSTEM FileSystemRights : FullControl AccessControlType : Allow IdentityReference : BUILTIN\Administrators FileSystemRights : FullControl objectGUID : ca9334eb-ebf2-409f-9622-8c0c602d8cc5 objectClass : groupPolicyContainer cn : {D6735583-A7D1-4988-83C3-75D788D95E7B} displayName : Biometry gPCFunctionalityVersion : 2 versionNumber : 4 gPCFileSysPath : \\sm.local\SysVol\sm.local\Policies\{D6735583-A7D1-4988-83C3-75D788D95E7B} AccessControlType : Allow IdentityReference : CREATOR OWNER ActiveDirectoryRights : CreateChild, DeleteChild, Self, WriteProperty, DeleteTree, Delete, GenericRead, WriteDacl, WriteOwner AccessControlType : Allow IdentityReference : NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS ActiveDirectoryRights : GenericRead AccessControlType : Allow IdentityReference : NT AUTHORITY\Authenticated Users ActiveDirectoryRights : GenericRead AccessControlType : Allow IdentityReference : NT AUTHORITY\SYSTEM ActiveDirectoryRights : CreateChild, DeleteChild, Self, WriteProperty, DeleteTree, Delete, GenericRead, WriteDacl, WriteOwner AccessControlType : Allow IdentityReference : SM\Domain Admins ActiveDirectoryRights : CreateChild, DeleteChild, Self, WriteProperty, DeleteTree, Delete, GenericRead, WriteDacl, WriteOwner AccessControlType : Allow IdentityReference : SM\Enterprise Admins ActiveDirectoryRights : CreateChild, DeleteChild, Self, WriteProperty, DeleteTree, Delete, GenericRead, WriteDacl, WriteOwner AccessControlType : Allow IdentityReference : NT AUTHORITY\Authenticated Users ActiveDirectoryRights : ExtendedRightHere's five PowerShell commands to run that will provide some useful information on the two halves that make up a group policy object:
- The files on the SYSVOL area of the file system (lines 1 and 2); and
- The data from the Active Directory GPO object (lines 4 to 6).
Get-Content -Raw -Path "\\sm.local\SysVol\sm.local\Policies\{D6735583-A7D1-4988-83C3-75D788D95E7B}\gpt.ini"; (Get-Acl -Path "\\sm.local\SysVol\sm.local\Policies\{D6735583-A7D1-4988-83C3-75D788D95E7B}\gpt.ini").Access | fl AccessControlType, IdentityReference, FileSystemRights; $gpo = Get-ADObject -Filter { (objectClass -like "*") -and (cn -eq "{D6735583-A7D1-4988-83C3-75D788D95E7B}") } -SearchBase "CN=Policies,CN=System,DC=sm,DC=local" -SearchScope OneLevel -Properties *; $gpo | Select-Object objectGUID, objectClass, cn, displayName, gPCFunctionalityVersion, versionNumber, gPCFileSysPath; $gpo.nTSecurityDescriptor.Access | fl AccessControlType, IdentityReference, ActiveDirectoryRights;If you get any errors such as "file not found" or "access denied" while running these commands, be sure to let me know as that may be quite relevant.
Cheers,
Lain