Forum Discussion
GPO processing fails
Hello everyone, I have recently figured out that gpupdate /force command on any machine leads to an error Event Viewer shows up 1058 error messages related to gpt.ini access Previou...
Event ID 5308 isn't an error, it's an information event in the "Applications and Services Logs/Microsoft/Windows/GroupPolicy/Operational" node.
I dropped a screenshot two replies up that shows an example of one from my environment.
It'd be highly unusual to not find a 5308 information event.
Cheers,
Lain
I can't see any issues with that at all - it's looks perfectly fine on both the SYSVOL (i.e. the files) and Active Directory sides.
Are there any other errors on the clients? Such as from the System node in Event Viewer? Anything related to NETLOGON, perhaps?
At this stage, it seems more likely that the GPO is only a symptom from something else going wrong, not something being wrong with group policy itself.
I'm assuming that if you use "gpupdate /force" to trigger the error that you can indeed ping uztassrv01.sm.local? There's not actually some sort of connectivity interruption going on?
If you do trigger the error again using "gpupdate /force", here's two more information-gathering commands you can then run on the client from PowerShell straight afterwards.
[System.DirectoryServices.ActiveDirectory.ActiveDirectorySite]::GetComputerSite() | fl Servers, InterSiteTopologyGenerator; dfsutil /pktinfoI don't think they will tell us anything new but it can't hurt to check.
What we want to see from these commands is that the only server references shown are for uztassrv01.sm.local (at least in the context of SYSVOL references). If any show up for uztassrv02.sm.local then we still have some kind of reference hanging around that we need to find and remove.
Cheers,
Lain
here is the outcome:
[General] Version=4 displayName=New Group Policy Object AccessControlType : Allow IdentityReference : SM\Domain Admins FileSystemRights : FullControl AccessControlType : Allow IdentityReference : SM\Enterprise Admins FileSystemRights : FullControl AccessControlType : Allow IdentityReference : NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS FileSystemRights : ReadAndExecute, Synchronize AccessControlType : Allow IdentityReference : NT AUTHORITY\Authenticated Users FileSystemRights : ReadAndExecute, Synchronize AccessControlType : Allow IdentityReference : NT AUTHORITY\SYSTEM FileSystemRights : FullControl AccessControlType : Allow IdentityReference : BUILTIN\Administrators FileSystemRights : FullControl objectGUID : ca9334eb-ebf2-409f-9622-8c0c602d8cc5 objectClass : groupPolicyContainer cn : {D6735583-A7D1-4988-83C3-75D788D95E7B} displayName : Biometry gPCFunctionalityVersion : 2 versionNumber : 4 gPCFileSysPath : \\sm.local\SysVol\sm.local\Policies\{D6735583-A7D1-4988-83C3-75D788D95E7B} AccessControlType : Allow IdentityReference : CREATOR OWNER ActiveDirectoryRights : CreateChild, DeleteChild, Self, WriteProperty, DeleteTree, Delete, GenericRead, WriteDacl, WriteOwner AccessControlType : Allow IdentityReference : NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS ActiveDirectoryRights : GenericRead AccessControlType : Allow IdentityReference : NT AUTHORITY\Authenticated Users ActiveDirectoryRights : GenericRead AccessControlType : Allow IdentityReference : NT AUTHORITY\SYSTEM ActiveDirectoryRights : CreateChild, DeleteChild, Self, WriteProperty, DeleteTree, Delete, GenericRead, WriteDacl, WriteOwner AccessControlType : Allow IdentityReference : SM\Domain Admins ActiveDirectoryRights : CreateChild, DeleteChild, Self, WriteProperty, DeleteTree, Delete, GenericRead, WriteDacl, WriteOwner AccessControlType : Allow IdentityReference : SM\Enterprise Admins ActiveDirectoryRights : CreateChild, DeleteChild, Self, WriteProperty, DeleteTree, Delete, GenericRead, WriteDacl, WriteOwner AccessControlType : Allow IdentityReference : NT AUTHORITY\Authenticated Users ActiveDirectoryRights : ExtendedRightHere's five PowerShell commands to run that will provide some useful information on the two halves that make up a group policy object:
- The files on the SYSVOL area of the file system (lines 1 and 2); and
- The data from the Active Directory GPO object (lines 4 to 6).
Get-Content -Raw -Path "\\sm.local\SysVol\sm.local\Policies\{D6735583-A7D1-4988-83C3-75D788D95E7B}\gpt.ini"; (Get-Acl -Path "\\sm.local\SysVol\sm.local\Policies\{D6735583-A7D1-4988-83C3-75D788D95E7B}\gpt.ini").Access | fl AccessControlType, IdentityReference, FileSystemRights; $gpo = Get-ADObject -Filter { (objectClass -like "*") -and (cn -eq "{D6735583-A7D1-4988-83C3-75D788D95E7B}") } -SearchBase "CN=Policies,CN=System,DC=sm,DC=local" -SearchScope OneLevel -Properties *; $gpo | Select-Object objectGUID, objectClass, cn, displayName, gPCFunctionalityVersion, versionNumber, gPCFileSysPath; $gpo.nTSecurityDescriptor.Access | fl AccessControlType, IdentityReference, ActiveDirectoryRights;If you get any errors such as "file not found" or "access denied" while running these commands, be sure to let me know as that may be quite relevant.
Cheers,
Lain
Please find:
\\sm.local\SysVol\sm.local\Policies\{D6735583-A7D1-4988-83C3-75D788D95E7B}\gpt.ini
Okay, great. Since event 5308 is referring to uztassrv01.sm.local, we'll shift away from names and onto content.
Can I ask you to copy-and-paste the UNC text from the details in event 1058 in here? I'm old and typing out GUIDs just results in me making lots of mistakes.
What I'm talking about is the text starting with "\\sm.local" and ending with "gpt.ini"
Having the text will make it easier for me to provide you with useful PowerShell commands to run.
Cheers,
Lain
Here is the outcome:
May be it also worth mentioning that every view minutes there appears 5504 event mentioning different internal dynamic addresses
Also, since UZTASSVR02 keeps popping up, it might pay to find and delete any orphaned DNS records - particularly those that play an important role in service discovery.
Here's three commands that will help you find any orphaned DNS records belonging to UZTASSVR02:
# Look for orphaned service locator records. Get-DnsServerResourceRecord -ComputerName uztassrv01.sm.local -ZoneName _msdcs.sm.local -RRType SRV | Where-Object { $_.RecordData.DomainName -like "uztassrv02*" } # Look for orphaned AD replication locator records. Get-DnsServerResourceRecord -ComputerName uztassrv01.sm.local -ZoneName _msdcs.sm.local -RRType CNAME | Where-Object { $_.RecordData.HostNameAlias -like "uztassrv02*" } # Look for orphaned name server records. Get-DnsServerResourceRecord -ComputerName uztassrv01.sm.local -ZoneName sm.local -RRType NS | Where-Object { $_.RecordData.NameServer -like "uztassrv02*" }Cheers,
Lain
Okay, that's great news and really helpful.
The one you've found seems to be a few days recent than your error, which was from the 15th. Are you able to find one from the same timestamp as an error?
It doesn't have to be from the 15th. If you have more recent errors, that's fine, just have a look and see if you can find the matching event 5308.
If you know how to "filter" the "GroupPolicy/Operational" node, then it will be easier for you to find a matching pair if you filter on events 1058 and 5308 as shown below.
If the server is still showing up as uztassrv01.sm.local then it may not be name-related - we're just checking the basics at the moment.
If we find it's not related to names then we can shift our focus over to the actual files, and check things like permissions and even that the files themselves do actually exist (GPO's definitely going to fail if the files don't exist!)
Cheers,
Lain
