Forum Discussion

nikitamobile855's avatar
nikitamobile855
Brass Contributor
Apr 15, 2022

GPO processing fails

Hello everyone,   I have recently figured out that gpupdate /force command on any machine leads to an error Event Viewer shows up 1058 error messages related to gpt.ini access Previou...
Active Directory
windows server
LainRobertson's avatar
LainRobertson
Silver Contributor
Apr 21, 2022

nikitamobile855 

 

Here's five PowerShell commands to run that will provide some useful information on the two halves that make up a group policy object:

 

  1. The files on the SYSVOL area of the file system (lines 1 and 2); and
  2. The data from the Active Directory GPO object (lines 4 to 6).

 

Get-Content -Raw -Path "\\sm.local\SysVol\sm.local\Policies\{D6735583-A7D1-4988-83C3-75D788D95E7B}\gpt.ini";
(Get-Acl -Path "\\sm.local\SysVol\sm.local\Policies\{D6735583-A7D1-4988-83C3-75D788D95E7B}\gpt.ini").Access | fl AccessControlType, IdentityReference, FileSystemRights;

$gpo = Get-ADObject -Filter { (objectClass -like "*") -and (cn -eq "{D6735583-A7D1-4988-83C3-75D788D95E7B}") } -SearchBase "CN=Policies,CN=System,DC=sm,DC=local" -SearchScope OneLevel -Properties *;
$gpo | Select-Object objectGUID, objectClass, cn, displayName, gPCFunctionalityVersion, versionNumber, gPCFileSysPath;
$gpo.nTSecurityDescriptor.Access | fl AccessControlType, IdentityReference, ActiveDirectoryRights;

 

If you get any errors such as "file not found" or "access denied" while running these commands, be sure to let me know as that may be quite relevant.

 

Cheers,

Lain

nikitamobile855's avatar
nikitamobile855
Brass Contributor
Apr 21, 2022

LainRobertson 

 

here is the outcome:

 

[General]
Version=4
displayName=New Group Policy Object



AccessControlType : Allow
IdentityReference : SM\Domain Admins
FileSystemRights  : FullControl

AccessControlType : Allow
IdentityReference : SM\Enterprise Admins
FileSystemRights  : FullControl

AccessControlType : Allow
IdentityReference : NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
FileSystemRights  : ReadAndExecute, Synchronize

AccessControlType : Allow
IdentityReference : NT AUTHORITY\Authenticated Users
FileSystemRights  : ReadAndExecute, Synchronize

AccessControlType : Allow
IdentityReference : NT AUTHORITY\SYSTEM
FileSystemRights  : FullControl

AccessControlType : Allow
IdentityReference : BUILTIN\Administrators
FileSystemRights  : FullControl





objectGUID              : ca9334eb-ebf2-409f-9622-8c0c602d8cc5
objectClass             : groupPolicyContainer
cn                      : {D6735583-A7D1-4988-83C3-75D788D95E7B}
displayName             : Biometry
gPCFunctionalityVersion : 2
versionNumber           : 4
gPCFileSysPath          : \\sm.local\SysVol\sm.local\Policies\{D6735583-A7D1-4988-83C3-75D788D95E7B}





AccessControlType     : Allow
IdentityReference     : CREATOR OWNER
ActiveDirectoryRights : CreateChild, DeleteChild, Self, WriteProperty, DeleteTree, Delete, GenericRead, WriteDacl,
                        WriteOwner

AccessControlType     : Allow
IdentityReference     : NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
ActiveDirectoryRights : GenericRead

AccessControlType     : Allow
IdentityReference     : NT AUTHORITY\Authenticated Users
ActiveDirectoryRights : GenericRead

AccessControlType     : Allow
IdentityReference     : NT AUTHORITY\SYSTEM
ActiveDirectoryRights : CreateChild, DeleteChild, Self, WriteProperty, DeleteTree, Delete, GenericRead, WriteDacl,
                        WriteOwner

AccessControlType     : Allow
IdentityReference     : SM\Domain Admins
ActiveDirectoryRights : CreateChild, DeleteChild, Self, WriteProperty, DeleteTree, Delete, GenericRead, WriteDacl,
                        WriteOwner

AccessControlType     : Allow
IdentityReference     : SM\Enterprise Admins
ActiveDirectoryRights : CreateChild, DeleteChild, Self, WriteProperty, DeleteTree, Delete, GenericRead, WriteDacl,
                        WriteOwner

AccessControlType     : Allow
IdentityReference     : NT AUTHORITY\Authenticated Users
ActiveDirectoryRights : ExtendedRight

 

  • LainRobertson's avatar
    LainRobertson
    Silver Contributor
    Apr 21, 2022

    nikitamobile855 

     

    I can't see any issues with that at all - it's looks perfectly fine on both the SYSVOL (i.e. the files) and Active Directory sides.

     

    Are there any other errors on the clients? Such as from the System node in Event Viewer? Anything related to NETLOGON, perhaps?

     

    At this stage, it seems more likely that the GPO is only a symptom from something else going wrong, not something being wrong with group policy itself.

     

    I'm assuming that if you use "gpupdate /force" to trigger the error that you can indeed ping uztassrv01.sm.local? There's not actually some sort of connectivity interruption going on?

     

    If you do trigger the error again using "gpupdate /force", here's two more information-gathering commands you can then run on the client from PowerShell straight afterwards.

     

    [System.DirectoryServices.ActiveDirectory.ActiveDirectorySite]::GetComputerSite() | fl Servers, InterSiteTopologyGenerator;

dfsutil /pktinfo

     

    I don't think they will tell us anything new but it can't hurt to check.

     

    What we want to see from these commands is that the only server references shown are for uztassrv01.sm.local (at least in the context of SYSVOL references). If any show up for uztassrv02.sm.local then we still have some kind of reference hanging around that we need to find and remove.

     

    Cheers,

    Lain

Resources