Group Policy Error

Hi All,
While creating and modifying the Group Policy, we have received a error on one of the DC.
Background: We have created one Group policy for testing, some of settings were not visible, so couple of time we have edited the group policy to take the proper settings.
Please refer the attached error, and suggest us.
NOTE: the group policy was created and edited via AGPM
Thanks
Thanks HA

> Please refer the attached error, and suggest us.
Check ACLs on the sysvol folder of your policy. Usually, this is an
orphaned ACL for authenticated users with only the "sync" right enabled.
GPMC fails to update this.
As a quick workaround: In the security filtering of your GPO, simply add
authenticated users, confirm and remove them again.
Martin
Mal ein
GUTES Buch über GPOs lesen?
NO THEY ARE NOT EVIL, if you know what you are doing:
Good or bad GPOs?
And if IT bothers me - coke bottle design refreshment :))

Similar Messages

Group Policy error 1112 - Drive Maps

Hi everyone
We are getting hundreds of these alerts from SCOM every day from multiple 2008 R2 terminal servers:
Alert from Operations Manager 2007:
Alert description: The Group Policy Client Side Extension Group Policy Drive Maps was unable to apply one or more settings because the changes must be processed before system startup or user logon. The system will wait for Group Policy processing to finish
completely before the next startup or logon for this user, and this may result in slow startup and boot performance.
Looking on the Server itself in the System log I see these entries for every time a user logs onto the server (via RemoteApp)
Log Name: System
Source: Microsoft-Windows-GroupPolicy
Date: 15/03/2012 2:23:58 p.m.
Event ID: 1112
Task Category: None
Level: Warning
Keywords:
User: HOT\xxxxxx
Computer: HOTAKLRD01.hot.co.nz
Description:
The Group Policy Client Side Extension Group Policy Drive Maps was unable to apply one or more settings because the changes must be processed before system startup or user logon. The system will wait for Group Policy processing to finish completely before the
next startup or logon for this user, and this may result in slow startup and boot performance.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-GroupPolicy" Guid="{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}" />
<EventID>1112</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>1</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2012-03-15T01:23:58.350306600Z" />
<EventRecordID>57243</EventRecordID>
<Correlation ActivityID="{651EFA61-7FA8-4444-9E68-81D0F82DEFE4}" />
<Execution ProcessID="900" ThreadID="22780" />
<Channel>System</Channel>
<Computer>HOTAKLRD01.hot.co.nz</Computer>
<Security UserID="S-1-5-21-1288906317-135625827-1544898942-500" />
</System>
<EventData>
<Data Name="SupportInfo1">1</Data>
<Data Name="SupportInfo2">3961</Data>
<Data Name="ProcessingMode">1</Data>
<Data Name="ProcessingTimeInMilliseconds">4656</Data>
<Data Name="ErrorCode">1274</Data>
<Data Name="ErrorDescription">The group policy framework should call the extension in the synchronous foreground policy refresh. </Data>
<Data Name="DCName">\\HOTAKL31.hot.co.nz</Data>
<Data Name="ExtensionName">Group Policy Drive Maps</Data>
<Data Name="ExtensionId">{5794DAFD-BE60-433f-88A2-1A31939AC01F}</Data>
</EventData>
</Event>
However it each case the user still gets their drive mapping!
I've this only occurs with Drive Map GP Preference -I've even taken a user out of all policies except for a new test drive map policy and they still get this error. I've applied the hotfix that should be the latest version of the GP dll's (KB2622802) but
the error remains. I've tried all options within the GPP for Drive Maps - Update, Replace etc,
Should I just override the OpsMgr alerts? It seems like this is a bug with 2008 server and GP Drive Map Preferences?
Any ideas would be appreciated
Thanks
Rik

> *"Note: For servers, the startup and logon processing always behaves
> as if this policy setting is enabled."*
>
> **
>
> **
>
> **
>
> **
>
> **
>
I must admit that I never used Drive Maps on a Server (-: Maybe this is
a bug in the Drive Maps CSE... If it bothers: Set NoBackgroundPolicy
(REG_DWORD) to 1 in HKLM\Software\Microsoft\Windows
NT\CurrentVersion\WinLogon\GPExtensions\
{5794DAFD-BE60-433f-88A2-1A31939AC01F}. This will prevent the Drive Maps
CSE from being invoked during background GP updates.
sincerely, martin
NO THEY ARE NOT EVIL, if you know what you are doing:
Good or bad GPOs?
Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!

Server giving group policy error 4098

I have been developing group policies to replace our login script. The policy copies many files over from a shared network drive. On many of the policies I have set it to run in the local user's security context so that the GP will pick up the
drive letters (they are different depending on the office). On one server in a remote office where the Group Policy is not applied I keep getting errors every time I enable the policies in a separate test OU. It does not make any sense to me as
the policies should not apply to this server, the server is not a domain controller, and I did not login to this server under my user account.
Here is an example of the errors (there are hundreds of similar errors):
The user 'Worksharing Monitor for Autodesk Revit 2011.lnk' preference item in the 'New Cadd {184A655E-D801-4589-AAF4-37788F771193}' Group Policy object did not apply because it failed with error code '0x80070002 The system cannot find the file specified.'
This error was suppressed.
The user 'AutoCAD 2011 - English.lnk' preference item in the 'New Cadd {184A655E-D801-4589-AAF4-37788F771193}' Group Policy object did not apply because it failed with error code '0x80070002 The system cannot find the file specified.' This error was suppressed.
Any ideas?
Thanks!

Hi,
You cannot the computer configuration policies to users. Please first of all , provide a new policy in the user configuration - shortcut" , and move the users that applying the shortcut policies to related OU. And gpupdate -- try again.
Thanks.
Alper YAZGAN *

Group Policy Error on WS 2012 Standard R2

Hi,
Is there anybody experiencing below given error messages ? Its coming to some of the terminal users and is not consistent. At that point of time they cant open mapped drives from the RDWEB session.
There are no known DNS issues, UAC is disabled.
The user 'P:' preference item in the 'Drive Maps Policy {94C23C7F-2EF8-4CA1-B3DF-C0CAF937EDE2}' Group Policy Object did not apply because it failed with error code '0x800704b8 An extended error has occurred.' This error was suppressed.
Log Name: Application
Source: Group Policy Drive maps
Event ID: 4098
Level: Warning
--------ANOTHER ERROR MESSAGE ------------
The user 'X:' preference item in the 'Drive Maps Policy {94C23C7F-2EF8-4CA1-B3DF-C0CAF937EDE2}' Group Policy Object did not apply because it failed with error code '0x80070008 Not enough storage is available to process this command.' This error was suppressed.
Log Name: Application
Source: Group Policy Drive maps
Event ID: 4098
Level: Warning
I can't find any error message related to DNS in event viewer, all records look good to me.

Hi，
As I go through the .xml logs, nothing special was detected.
Would you please let me the file server's hardware configuration and how is the server's performance?
Besides that, could you please ask user to try on another pc and check if the problem still occurs.
Then we may able to narrow down the scope for troubleshooting.
Thanks and regards,
Elaine
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

Lock Screen Group Policy - Error code 0X80070002

Hi
I'm trying to update the workstation policy (2008R2) to show a new Lock Screen for our users.
I have two policies:
-Windows 7 Workstation Policy
-Windows 8.1 Workstation Policy
It was no problem for our Windows 7 machines.
Windows 8.1 however wouldn't change.
The picture downloads successfully to the client directory I specified in the policy, resolution and size are ok.
I've tried deleting the sysdata folder on test machines (This left me with a blue lock screen, but still better than what they chose ;)
I've tried default and unique filenames, and different folder locations under 'Force A Specific Lock Screen'
I've disabled/enabled 'Force a Specific Lock Screen'
I came across this warning on the client test machine:
The computer 'backgroundDefault.jpg' preference item in the 'Win8.1 Policy}' Group Policy Object did not apply because it failed with error code '0x80070002 The system cannot find the file specified.' This error was suppressed

Hi ,
Can you please post the gpresult report here? And also ensure there is no policy processing failure in the problematic machines. That you can verify by seeing the gpsvc logs.
Regards, Prabhu

Group policy error: Failed to open group policy object on this computer.

Hi all,
I received this message when i tried to look at the local group policy setting on one of my machines (Windows XP SP3), which is joined in my domain.
"Failed to open group policy object on this computer. You may not have appropriate rights.
Details:
Unspecified error."
note that I am local admin.
It's all started when I was troublshooting WSUS connectivity and i looked at the WinsdowsUpdate.log, the WSUS server was <Null> & WSUS status server <Null>, I tried to force the domain GP by using GPupdate /force, it went fine and asked to
log off, but nothing changed in the WindowsUpdate.log still <Null>. Then i tried to look at the local policy setting.
I searched the internet nothing related to my case.
Thanks in advance for advising.
Mohammed Adel

I guess reinstall windows is the solution, I also found one log "event id 1096", related to "registry.pol" it was corrupted.
Regards,
Mohammed Adel

REIMS application Group policy error

Hi all,
We r getting the error 'Group policy processing aborted' in REIMS application event log on EDI server.Plz help me out if any one has any light on this.
Thanks in advance.
Sap Basis.

Hi，
As I go through the .xml logs, nothing special was detected.
Would you please let me the file server's hardware configuration and how is the server's performance?
Besides that, could you please ask user to try on another pc and check if the problem still occurs.
Then we may able to narrow down the scope for troubleshooting.
Thanks and regards,
Elaine
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

Printers working, but getting group policy error (error 513)

Ok great, I'll let you know how it goes.

Hi all,I've got a print server role running on a Server 2012 VM. It was working great until a few days ago until one of the printers went offline. I restarted the print spooler (no effect), then restarted the server (brought the printer back online). Since then, I've been receiving these errors for all three printers we have on this server:Error ID: 513Source: Microsoft-Windows-PrintServiceMessage: Group Policy was unable to add per computer connection \\___\\Copier Konica Minolta C360 PCL. Error code 0x7B. This can occur if the name of the printer connection is incorrect, or if the print spooler cannot contact the print server.The printer names did not change, and since the printers are working, it seems that the spooler is working. I also tried updating the drivers through print management (there is a new version of the driver...
This topic first appeared in the Spiceworks Community

Group Policy Errors

Hello
I have an installation of Server 2012R2 as my DC. I am trying to setup GP for users to provide settings for IE10/11. I am not finding all of the options and I keep receiving an error about the admx file.
An error has occurred while collecting data for Administrative Templates.
The following errors were encountered:
Resource '$(string.VerMgmtAuditModeEnable)' referenced in attribute displayName could
not be found. File C:\Windows\PolicyDefinitions\inetres.admx, line 1495, column 249
I downloaded the file from MS and tried copying it to that directory in an elevated command prompt and it says I dont have permission to do that. I looked and it seems that everything is only read/execute with no modify ability. So I was going to try creating
a central store on SYSVOL per a suggestion on another forum, but I cant create a folder in SYSVOL\Policies because only the SYSTEM has modify rights.
I am logged in as a Domain Admin user. How am I supposed to fix my GP issues if I dont have the "right" to do it?
All suggestions will be appreciated.
Thank you in advance

Hello
I have an installation of Server 2012R2 as my DC. I am trying to setup GP for users to provide settings for IE10/11. I am not finding all of the options and I keep receiving an error about the admx file.
An error has occurred while collecting data for Administrative Templates.
The following errors were encountered:
Resource '$(string.VerMgmtAuditModeEnable)' referenced in attribute displayName could
not be found. File C:\Windows\PolicyDefinitions\inetres.admx, line 1495, column 249
I downloaded the file from MS and tried copying it to that directory in an elevated command prompt and it says I dont have permission to do that. I looked and it seems that everything is only read/execute with no modify ability. So I was going to try creating
a central store on SYSVOL per a suggestion on another forum, but I cant create a folder in SYSVOL\Policies because only the SYSTEM has modify rights.
I am logged in as a Domain Admin user. How am I supposed to fix my GP issues if I dont have the "right" to do it?
All suggestions will be appreciated.
Thank you in advance
please refer to:
https://social.technet.microsoft.com/Forums/en-US/bac54114-54d7-472b-969d-9b08f28dbba9/error-when-selecting-administrative-template-in-any-gpo?forum=winserverGP
Don
(Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

Group Policy processing failure on 2008 when MIX Domain 2003 with DC 2008

Dear I try to add additional Windows 2008 Domain to My Domain controller 2003 and I ma Receiving Group policy error in DC 2008 With Event ID 1055
The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following:
a) Name Resolution failure on the current domain controller.
b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-GroupPolicy" Guid="{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}" />
<EventID>1055</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>1</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2014-03-06T14:36:44.411955300Z" />
<EventRecordID>3859</EventRecordID>
<Correlation ActivityID="{28DAD258-26D0-4C1E-A4B7-F37DEE04C8F1}" />
<Execution ProcessID="952" ThreadID="3276" />
<Channel>System</Channel>
<Computer>PRIMARYDC.Qtit.com</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="SupportInfo1">1</Data>
<Data Name="SupportInfo2">1632</Data>
<Data Name="ProcessingMode">0</Data>
<Data Name="ProcessingTimeInMilliseconds">1578</Data>
<Data Name="ErrorCode">5</Data>
<Data Name="ErrorDescription">Access is denied.</Data>
</EventData>
</Event>
I install See KB939820 for a hotfix applicable to Microsoft DC 2003 regrading to he KRBTGT account
Refer Url : http://support.microsoft.com/kb/939820
I run dcdiag /v on and repadmin /showrepl at DC 2008
the dcdiag /v result
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
* Verifying that the local machine PRIMARYDC, is a Directory Server.
Home Server = PRIMARYDC
* Connecting to directory service on server PRIMARYDC.
* Identified AD Forest.
Collecting AD specific global data
* Collecting site info.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=Qtit,DC=com,LDAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
The previous call succeeded
Iterating through the sites
Looking at base site object: CN=NTDS Site Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Qtit,DC=com
Getting ISTG and options for the site
* Identifying all servers.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=Qtit,DC=com,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
The previous call succeeded....
The previous call succeeded
Iterating through the list of servers
Getting information for the server CN=NTDS Settings,CN=SECONDAD,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Qtit,DC=com
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
Getting information for the server CN=NTDS Settings,CN=PRIMARYDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Qtit,DC=com
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
* Identifying all NC cross-refs.
* Found 2 DC(s). Testing 1 of them.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\PRIMARYDC
Starting test: Connectivity
* Active Directory LDAP Services Check
Determining IP4 connectivity
* Active Directory RPC Services Check
......................... PRIMARYDC passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\PRIMARYDC
Starting test: Advertising
The DC PRIMARYDC is advertising itself as a DC and having a DS.
The DC PRIMARYDC is advertising as an LDAP server
The DC PRIMARYDC is advertising as having a writeable directory
The DC PRIMARYDC is advertising as a Key Distribution Center
The DC PRIMARYDC is advertising as a time server
The DS PRIMARYDC is advertising as a GC.
......................... PRIMARYDC passed test Advertising
Test omitted by user request: CheckSecurityError
Test omitted by user request: CutoffServers
Starting test: FrsEvent
* The File Replication Service Event log test
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
A warning event occurred. EventID: 0x800034C8
Time Generated: 03/06/2014 10:18:56
Event String:
The File Replication Service has detected an enabled disk write cache on the drive containing the directory c:\windows\ntfrs\jet on the computer PRIMARYDC. The File Replication Service might not recover when power to
the drive is interrupted and critical updates are lost.
A warning event occurred. EventID: 0x800034C8
Time Generated: 03/06/2014 10:53:21
Event String:
The File Replication Service has detected an enabled disk write cache on the drive containing the directory c:\windows\ntfrs\jet on the computer PRIMARYDC. The File Replication Service might not recover when power to
the drive is interrupted and critical updates are lost.
......................... PRIMARYDC passed test FrsEvent
Starting test: DFSREvent
The DFS Replication Event Log.
Skip the test because the server is running FRS.
......................... PRIMARYDC passed test DFSREvent
Starting test: SysVolCheck
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... PRIMARYDC passed test SysVolCheck
Starting test: KccEvent
* The KCC Event log test
Found no KCC errors in "Directory Service" Event log in the last 15 minutes.
......................... PRIMARYDC passed test KccEvent
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS Settings,CN=SECONDAD,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Qtit,DC=com
Role Domain Owner = CN=NTDS Settings,CN=SECONDAD,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Qtit,DC=com
Role PDC Owner = CN=NTDS Settings,CN=SECONDAD,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Qtit,DC=com
Role Rid Owner = CN=NTDS Settings,CN=SECONDAD,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Qtit,DC=com
Role Infrastructure Update Owner = CN=NTDS Settings,CN=SECONDAD,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Qtit,DC=com
......................... PRIMARYDC passed test KnowsOfRoleHolders
Starting test: MachineAccount
Checking machine account for DC PRIMARYDC on DC PRIMARYDC.
* SPN found :LDAP/PRIMARYDC.Qtit.com/Qtit.com
* SPN found :LDAP/PRIMARYDC.Qtit.com
* SPN found :LDAP/PRIMARYDC
* SPN found :LDAP/PRIMARYDC.Qtit.com/QTIT
* SPN found :LDAP/e3d8c76c-1b59-4de6-9f7f-c438df9a2863._msdcs.Qtit.com
* SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/e3d8c76c-1b59-4de6-9f7f-c438df9a2863/Qtit.com
* SPN found :HOST/PRIMARYDC.Qtit.com/Qtit.com
* SPN found :HOST/PRIMARYDC.Qtit.com
* SPN found :HOST/PRIMARYDC
* SPN found :HOST/PRIMARYDC.Qtit.com/QTIT
* SPN found :GC/PRIMARYDC.Qtit.com/Qtit.com
......................... PRIMARYDC passed test MachineAccount
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC PRIMARYDC.
The forest is not ready for RODC. Will skip checking ERODC ACEs.
* Security Permissions Check for
DC=ForestDnsZones,DC=Qtit,DC=com
(NDNC,Version 3)
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=ForestDnsZones,DC=Qtit,DC=com
* Security Permissions Check for
DC=DomainDnsZones,DC=Qtit,DC=com
(NDNC,Version 3)
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=DomainDnsZones,DC=Qtit,DC=com
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=Qtit,DC=com
(Schema,Version 3)
* Security Permissions Check for
CN=Configuration,DC=Qtit,DC=com
(Configuration,Version 3)
* Security Permissions Check for
DC=Qtit,DC=com
(Domain,Version 3)
......................... PRIMARYDC failed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Verified share \\PRIMARYDC\netlogon
Verified share \\PRIMARYDC\sysvol
......................... PRIMARYDC passed test NetLogons
Starting test: ObjectsReplicated
PRIMARYDC is in domain DC=Qtit,DC=com
Checking for CN=PRIMARYDC,OU=Domain Controllers,DC=Qtit,DC=com in domain DC=Qtit,DC=com on 1 servers
Object is up-to-date on all servers.
Checking for CN=NTDS Settings,CN=PRIMARYDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Qtit,DC=com in domain CN=Configuration,DC=Qtit,DC=com on 1 servers
Object is up-to-date on all servers.
......................... PRIMARYDC passed test ObjectsReplicated
Test omitted by user request: OutboundSecureChannels
Starting test: Replications
* Replications Check
* Replication Latency Check
DC=ForestDnsZones,DC=Qtit,DC=com
Latency information for 18 entries in the vector were ignored.
18 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
DC=DomainDnsZones,DC=Qtit,DC=com
Latency information for 18 entries in the vector were ignored.
18 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
CN=Schema,CN=Configuration,DC=Qtit,DC=com
Latency information for 20 entries in the vector were ignored.
20 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
CN=Configuration,DC=Qtit,DC=com
Latency information for 20 entries in the vector were ignored.
20 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
DC=Qtit,DC=com
Latency information for 20 entries in the vector were ignored.
20 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
* Replication Site Latency Check
......................... PRIMARYDC passed test Replications
Starting test: RidManager
* Available RID Pool for the Domain is 14607 to 1073741823
* SecondAD.Qtit.com is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 14107 to 14606
* rIDPreviousAllocationPool is 14107 to 14606
* rIDNextRID: 14124
......................... PRIMARYDC passed test RidManager
Starting test: Services
* Checking Service: EventSystem
* Checking Service: RpcSs
* Checking Service: NTDS
* Checking Service: DnsCache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: w32time
* Checking Service: NETLOGON
......................... PRIMARYDC passed test Services
Starting test: SystemLog
* The System Event log test
A warning event occurred. EventID: 0x0000A001
Time Generated: 03/06/2014 16:04:05
Event String:
The Security System could not establish a secured connection with the server ldap/PRIMARYDC.Qtit.com/[email protected]. No authentication protocol was available.
An error event occurred. EventID: 0x0000041F
Time Generated: 03/06/2014 16:06:35
Event String:
The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following:
a) Name Resolution failure on the current domain controller.
b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).
An error event occurred. EventID: 0x0000041F
Time Generated: 03/06/2014 16:11:36
Event String:
The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following:
a) Name Resolution failure on the current domain controller.
b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).
An error event occurred. EventID: 0x0000041F
Time Generated: 03/06/2014 16:16:38
Event String:
The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following:
a) Name Resolution failure on the current domain controller.
b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).
An error event occurred. EventID: 0x0000041F
Time Generated: 03/06/2014 16:21:39
Event String:
The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following:
a) Name Resolution failure on the current domain controller.
b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).
An error event occurred. EventID: 0x0000041F
Time Generated: 03/06/2014 16:26:41
Event String:
The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following:
a) Name Resolution failure on the current domain controller.
b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).
An error event occurred. EventID: 0x00000457
Time Generated: 03/06/2014 16:30:46
Event String:
Driver TOSHIBA e-STUDIO16/20/25 PCL 6 required for printer TOSHIBA e-STUDIO16/20/25 PCL 6 is unknown. Contact the administrator to install the driver before you log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 03/06/2014 16:30:48
Event String:
Driver Microsoft XPS Document Writer v4 required for printer Microsoft XPS Document Writer is unknown. Contact the administrator to install the driver before you log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 03/06/2014 16:30:49
Event String:
Driver Send to Microsoft OneNote 15 Driver required for printer Send To OneNote 2013 is unknown. Contact the administrator to install the driver before you log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 03/06/2014 16:31:14
Event String:
Driver Send to Microsoft OneNote 15 Driver required for printer Send To OneNote 2013 is unknown. Contact the administrator to install the driver before you log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 03/06/2014 16:31:16
Event String:
Driver Microsoft XPS Document Writer v4 required for printer Microsoft XPS Document Writer is unknown. Contact the administrator to install the driver before you log in again.
An error event occurred. EventID: 0x00000457
Time Generated: 03/06/2014 16:31:16
Event String:
Driver WebEx Document Loader required for printer WebEx Document Loader is unknown. Contact the administrator to install the driver before you log in again.
An error event occurred. EventID: 0x0000041F
Time Generated: 03/06/2014 16:31:42
Event String:
The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following:
a) Name Resolution failure on the current domain controller.
b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).
......................... PRIMARYDC failed test SystemLog
Test omitted by user request: Topology
Test omitted by user request: VerifyEnterpriseReferences
Starting test: VerifyReferences
The system object reference (serverReference)
CN=PRIMARYDC,OU=Domain Controllers,DC=Qtit,DC=com and backlink on
CN=PRIMARYDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Qtit,DC=com
are correct.
The system object reference (serverReferenceBL)
CN=PRIMARYDC,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=Qtit,DC=com
and backlink on
CN=NTDS Settings,CN=PRIMARYDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Qtit,DC=com
are correct.
The system object reference (frsComputerReferenceBL)
CN=PRIMARYDC,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=Qtit,DC=com
and backlink on CN=PRIMARYDC,OU=Domain Controllers,DC=Qtit,DC=com are
correct.
......................... PRIMARYDC passed test VerifyReferences
Test omitted by user request: VerifyReplicas
Test omitted by user request: DNS
Test omitted by user request: DNS
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : Qtit
Starting test: CheckSDRefDom
......................... Qtit passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Qtit passed test CrossRefValidation
Running enterprise tests on : Qtit.com
Test omitted by user request: DNS
Test omitted by user request: DNS
Starting test: LocatorCheck
GC Name: \\PRIMARYDC.Qtit.com
Locator Flags: 0xe00031fc
PDC Name: \\SecondAD.Qtit.com
Locator Flags: 0xe00001bd
Time Server Name: \\PRIMARYDC.Qtit.com
Locator Flags: 0xe00031fc
Preferred Time Server Name: \\PRIMARYDC.Qtit.com
Locator Flags: 0xe00031fc
KDC Name: \\PRIMARYDC.Qtit.com
Locator Flags: 0xe00031fc
......................... Qtit.com passed test LocatorCheck
Starting test: Intersite
Skipping site Default-First-Site-Name, this site is outside the scope
provided by the command line arguments provided.
......................... Qtit.com passed test Intersite
repadmin /showrepl Result
******************************8
==== INBOUND NEIGHBORS ===================================
DC=Qtit,DC=com
Default-First-Site-Name\SECONDAD via RPC
DSA object GUID: c5ef6e17-77f0-43f6-8d39-5497c563f
Last attempt @ 2014-03-06 16:41:04 was successful.
CN=Configuration,DC=Qtit,DC=com
Default-First-Site-Name\SECONDAD via RPC
DSA object GUID: c5ef6e17-77f0-43f6-8d39-5497c563f
Last attempt @ 2014-03-06 16:41:39 was successful.
CN=Schema,CN=Configuration,DC=Qtit,DC=com
Default-First-Site-Name\SECONDAD via RPC
DSA object GUID: c5ef6e17-77f0-43f6-8d39-5497c563f
Last attempt @ 2014-03-06 15:53:01 was successful.
DC=DomainDnsZones,DC=Qtit,DC=com
Default-First-Site-Name\SECONDAD via RPC
DSA object GUID: c5ef6e17-77f0-43f6-8d39-5497c563f
Last attempt @ 2014-03-06 16:27:31 was successful.
DC=ForestDnsZones,DC=Qtit,DC=com
Default-First-Site-Name\SECONDAD via RPC
DSA object GUID: c5ef6e17-77f0-43f6-8d39-5497c563f
Last attempt @ 2014-03-06 15:53:01 was successful.
I try to down the DC 2003 and access \\Qtit.com it success open the syslog on DC 2008
Any help or advice

Hi,
Were there other error codes logged in Event Viewer?
Regarding Event ID 1055, the following article can be referred to for troubleshooting.
Event ID 1055 — Group Policy Preprocessing (Security)
http://technet.microsoft.com/en-us/library/cc727272(v=ws.10).aspx
Based on the report you posted, this issue may be related to FRS replication service. As a result, we can use ntfrsutl tool to check whether the replication service is healthy.
Regarding this point, the following articles can be referred to for more information.
Troubleshooting File Replication Service
http://technet.microsoft.com/en-us/library/bb727056.aspx
Ntfrsutl
http://technet.microsoft.com/en-us/library/hh875636.aspx
In addition, we can also try doing a non-authoritative Sysvol restore on Windows Server 2008 DC to see whether the issue persists.
Using the BurFlags registry key to reinitialize File Replication Service replica sets
http://support.microsoft.com/kb/290762/en-us
Hope it helps.
Best regards,
Frank Shen

The Group Policy client-side extension Scripts failed ...

This is an error I've been seeing forever and it was always the impression that upgrading would resolve it, but it never has even in 10.3. 100% of our users get these errors in the Event Viewer:
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1085
Date: 10/21/2010
Time: 8:04:52 AM
User: NT AUTHORITY\SYSTEM
Computer: XXXXXX
Description:
The Group Policy client-side extension Scripts failed to execute. Please look for any errors reported earlier by that extension.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
We also seem to have flakey policy issues where once in awhile a user will not be able to logon to Windows with Workstation Only while getting the " not allowed to logon interactively" message, other times the users report not being able to access the Windows Date and Time Properties and further sometimes they are unable to make system changes.
We have troubleshooted this and the only resolutions we've found are to run zac cc, zac ref, zac pl and sometimes it seems like deleting c:\windows\system32\grouppolicy will help.
In regards to the Event Viewer entry I posted, on any given machine I can issue the command gpupdate and it will put another entry into the Event Viewer (sometimes multiple ones). I've learned through research that if I "clean up" c:\windows\system32\grouppolicy\gpt.ini the errors go away, but once the policy is refreshed they come right back.
This is the version ZenWorks gives the users:
[General]
gPCFunctionalityVersion=2
gPCFunctionalityVersion=2
gPCMachineExtensionNames=[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957D-509E-11D1-A7CC-0000F87571E3}][{3610EDA5-77EF-11D2-8DC5-00C04FA31A66}{0F6B957D-509E-11D1-A7CC-0000F87571E3}][{42B5FAAE-6536-11D2-AE5A-0000F87571E3}{40B6664F-4972-11D1-A7CA-0000F87571E3}][{4CFB60C1-FAA6-47F1-89AA-0B18730C9FD3}{0F6B957D-509E-11D1-A7CC-0000F87571E3}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]
Version=6488106
gPCUserExtensionNames=[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-0000F87571E3}][{42B5FAAE-6536-11D2-AE5A-0000F87571E3}{40B66650-4972-11D1-A7CA-0000F87571E3}][{4CFB60C1-FAA6-47F1-89AA-0B18730C9FD3}{0F6B957E-509E-11D1-A7CC-0000F87571E3}][{A2E30F80-D7DE-11D2-BBDE-00C04F86AE3B}{FC715823-C5FB-11D1-9EEF-00A0C90347FF}]
This is the version I cleaned up:
[General]
gPCFunctionalityVersion=2
gPCUserExtensionNames=[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-0000F87571E3}][{4CFB60C1-FAA6-47F1-89AA-0B18730C9FD3}{0F6B957E-509E-11D1-A7CC-0000F87571E3}][{A2E30F80-D7DE-11D2-BBDE-00C04F86AE3B}{FC715823-C5FB-11D1-9EEF-00A0C90347FF}]
gPCUserExtensionNames=[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-0000F87571E3}][{A2E30F80-D7DE-11D2-BBDE-00C04F86AE3B}{FC715823-C5FB-11D1-9EEF-00A0C90347FF}]
I'm not sure how to get Zenworks to use the cleaned up version nor and I too sure what those extra extensions are and how they got in there. I may need to contact Novell in regards to this, but since I'm already working on an SR with them I figured I'd go ahead and post here first.
Any help or advice would be greatly appreciated.

Here are the groups I'm using. NOTE: These have been in affect throughout the issues experienced. Users will work perfectly fine then suddenly the problem will start happening without any policy change on our side.
-Member of-
Network Configuration Operators+
Remote Desktop Users+
Users+
-Assigned Rights under a group I called "Other Rights"-
Access this computer from network
Change the system time
Log on locally
Shut down the system
The only condition I have is that these issues happen when logging in Workstation Only and I'm not able to recreate the problem on demand with tests.
Originally Posted by craig_wilson
The "Interactive Logon" is a Windows Security Permission.
It is generally assigned to certain local groups such as "User".
Which groups are assigned this right can be changed manually and
controlled by local security policies.
When user's get this error, it generally means their account is not in a
local group that has been assigned that right.
If using "DLU", make sure the user accounts are a member of "Users".
And If anyone was messing with security policies, make sure they did not
take away "Interactive Logons" from anyone.
On 10/29/2010 7:06 AM, jcsmith1 wrote:
>
> Thanks for replying craig.
>
> My policy woes have only grown since my first post. We are currently
> testing the removal of administrative rights and now we're having
> teleworkers (who login Workstation Only) getting the message "policy
> does not allow interactive login". What -seems- to fix it is a zac cc,
> zac ref and zac pl, however we just started getting call backs from
> users.
>
> I seem to have no further leads and Novell's ZenWorks tech supports
> seems to be going through some kind of painful-to-the-customer
> transition as one of my thoughts on resolving the issue is to go to 10.3
> or 10.3.1, but my Satellites appear to be upgrading but in reality do
> not upgrade (but the primary servers upgraded) (See SR 10655976331).
>
> Does anyone knows how to troubleshoot policy issues when the users
> aren't loggin into ZCM?
>
> craig_wilson;2036646 Wrote:
>> See: 'Group Policy Error: The Group Policy client-side extension Script
>> failed to execute.'
>> (Group Policy Error: The Group Policy client-side extension Script failed to execute.)
>>
>> This would never be fixed in any patch, since it would be the job of
>> GPEDIT to properly maintain the GPT.INI.
>>
>> Most of the Time these errors are cosmetic and caused by stray script
>> extensions.
>>
>> You may want to create an Enhancement Request to allow the creation of
>> "Filters" so certain errors are discarded and not sent to the DB/ZCC.
>> This way an Admin could choose to filter out various error messages
>> that
>> they deem are not actually of concern.
>>
>> On 10/21/2010 9:36 AM, jcsmith1 wrote:
>>>
>>> This is an error I've been seeing forever and it was always the
>>> impression that upgrading would resolve it, but it never has even in
>>> 10.3. 100% of our users get these errors in the Event Viewer:
>>>
>>> -Event Type: Error
>>> Event Source: Userenv
>>> Event Category: None
>>> Event ID: 1085
>>> Date: 10/21/2010
>>> Time: 8:04:52 AM
>>> User: NT AUTHORITY\SYSTEM
>>> Computer: XXXXXX
>>> Description:
>>> The Group Policy client-side extension Scripts failed to execute.
>>> Please look for any errors reported earlier by that extension.
>>>
>>> For more information, see Help and Support Center at
>>> http://go.microsoft.com/fwlink/events.asp.
>>> -
>>> We also seem to have flakey policy issues where once in awhile a
>> user
>>> will not be able to logon to Windows with Workstation Only while
>> getting
>>> the " not allowed to logon interactively" message, other times the
>> users
>>> report not being able to access the Windows Date and Time Properties
>> and
>>> further sometimes they are unable to make system changes.
>>>
>>> We have troubleshooted this and the only resolutions we've found are
>> to
>>> run zac cc, zac ref, zac pl and sometimes it seems like deleting
>>> c:\windows\system32\grouppolicy will help.
>>>
>>> In regards to the Event Viewer entry I posted, on any given machine
>> I
>>> can issue the command gpupdate and it will put another entry into
>> the
>>> Event Viewer (sometimes multiple ones). I've learned through
>> research
>>> that if I "clean up" c:\windows\system32\grouppolicy\gpt.ini the
>> errors
>>> go away, but once the policy is refreshed they come right back.
>>>
>>> This is the version ZenWorks gives the users:
>>>> [General]
>>>> gPCFunctionalityVersion=2
>>>> gPCFunctionalityVersion=2
>>>>
>> gPCMachineExtensionNames=[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957D-509E-11D1-A7CC-0000F87571E3}][{3610EDA5-77EF-11D2-8DC5-00C04FA31A66}{0F6B957D-509E-11D1-A7CC-0000F87571E3}][{42B5FAAE-6536-11D2-AE5A-0000F87571E3}{40B6664F-4972-11D1-A7CA-0000F87571E3}][{4CFB60C1-FAA6-47F1-89AA-0B18730C9FD3}{0F6B957D-509E-11D1-A7CC-0000F87571E3}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]
>>>> Version=6488106
>>>>
>> gPCUserExtensionNames=[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-0000F87571E3}][{42B5FAAE-6536-11D2-AE5A-0000F87571E3}{40B66650-4972-11D1-A7CA-0000F87571E3}][{4CFB60C1-FAA6-47F1-89AA-0B18730C9FD3}{0F6B957E-509E-11D1-A7CC-0000F87571E3}][{A2E30F80-D7DE-11D2-BBDE-00C04F86AE3B}{FC715823-C5FB-11D1-9EEF-00A0C90347FF}]
>>>>
>>>>
>>>
>>> This is the version I cleaned up:
>>>> [General]
>>>> gPCFunctionalityVersion=2
>>>>
>> gPCUserExtensionNames=[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-0000F87571E3}][{4CFB60C1-FAA6-47F1-89AA-0B18730C9FD3}{0F6B957E-509E-11D1-A7CC-0000F87571E3}][{A2E30F80-D7DE-11D2-BBDE-00C04F86AE3B}{FC715823-C5FB-11D1-9EEF-00A0C90347FF}]
>>>>
>> gPCUserExtensionNames=[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-0000F87571E3}][{A2E30F80-D7DE-11D2-BBDE-00C04F86AE3B}{FC715823-C5FB-11D1-9EEF-00A0C90347FF}]
>>>>
>>>>
>>>
>>> I'm not sure how to get Zenworks to use the cleaned up version nor
>> and
>>> I too sure what those extra extensions are and how they got in there.
>> I
>>> may need to contact Novell in regards to this, but since I'm already
>>> working on an SR with them I figured I'd go ahead and post here
>> first.
>>>
>>> Any help or advice would be greatly appreciated.
>>>
>>>
>>
>>
>> --
>> Craig Wilson - MCNE, MCSE, CCNA
>> Novell Knowledge Partner
>>
>> Novell does not officially monitor these forums.
>>
>> Suggestions/Opinions/Statements made by me are solely my own.
>> These thoughts may not be shared by either Novell or any rational
>> human.
>
>
Craig Wilson - MCNE, MCSE, CCNA
Novell Knowledge Partner
Novell does not officially monitor these forums.
Suggestions/Opinions/Statements made by me are solely my own.
These thoughts may not be shared by either Novell or any rational human.

WIndows Server 2008 Broken Group Policy

Facing weird issue since last week , i can not edit the GP with administrative priviliges
Restore the sysvol folder via last backup ; have ran GPO tool commands but no luck
Attach is the error iam getting during editing any GPO
any thoughts here to resolve this issue will be highly appriciated
event id # 4
source # security-kerberos
Log Name# system

Hi Nicholas,
Before going further, sorry for the late response.
Here, did these errors occur when we edit all GPOs or just this specific GPO? Besides, do we have other domain controllers? If yes, we can try to edit the GPO from another DC to see if the issue persists. Moreover, please make sure that the user account
we were using to edit the GPO is not denied access to it.
At this moment, regarding error message Failed to open the Group Policy Object. You may not have appropriate rights,
the following article can be referred to for troubleshooting.
Group Policy Error Message When Appropriate Sysvol Contents Are Missing
http://support.microsoft.com/en-us/kb/253268
Best regards,
Frank Shen
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

Drive restriction group policy causes error message when accessing Open and Save As Dialog Boxes on Windows 8.1

We are running Windows 8.1 Pro x86
I am really curious as to why the drive restriction group policy causes the error message to pop up:
"This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator."
It does not prevent from actual saving so functionality is not lost but it really annoys our end users and we're getting a lot of complaints. We cannot use the workaround of hiding drives instead of restricting as this still presents security issues. This
is happens when saving (or clicking on a button like "Browse" that opens the 'Open' dialogue box) in all Office 2013 applications, Internet Explorer, Paint, Notepad, and probably most others. I've looked at many forums and no suggestions for workarounds
have succeeded for us to get rid of this error message and in fact, I read a post that stated that someone contacted Microsoft and they said this was by design and there is no workaround. I find this very unfortunate that we either have the choice of compromising
security or annoying our end users. It seems to me like the new dialogue box in Windows 8.1 (and maybe 8?) attempts to access the local drive under the logged in user's account before it actually opens up the dialogue box which conflicts with the group policy
that restricts access to the drive.
Has anyone at all had any luck getting this to go away without removing the restrictions? It seems like the answer is either buried in the Windows code or somewhere in the registry.
Thank you in advance for your time!

Thank you for your time and response! Unfortunately, we have the machine locked down pretty tight (they are public use computers that require heavy restriction) and it is set to restrict all drives so access is limited to the local profile. We did try
testing your method, however, by adding the Desktop as an allowed location in the Office policy (which would not solve the issue for the other applications but was good for a test) using the path %userprofile%\desktop. When choosing that location, it does
not throw the error but unfortunately, it does not remember like it did for your with the E: drive so it still always throws the error when first loading the dialogue box no matter what I do. If you're able to confirm that this is simply by design and we're
just expected to inform our users to click through the errors, then I guess that's the accepted answer. Although, do you think that there might be a registry key value that is set after you save to the E: drive for the first time? Maybe we could set that value
to %userprofile%\desktop if it's doing the redirection after the first save through registry. Thanks again!

Error while updating Group Policy

Hello All,
I get the below error while updating the group policy on the user machin.
C:\Users\905288>gpupdate /force
Updating Policy...
User Policy update has completed successfully.
The following warnings were encountered during user policy processing:
Windows failed to apply the Internet Explorer Zonemapping settings. Internet Exp
lorer Zonemapping settings might have its own log file. Please click on the "Mor
e information" link.
Computer Policy update has completed successfully.
For more detailed information, review the event log or run GPRESULT /H GPReport.
html from the command line to access information about Group Policy results.
Is there a way I can find which group policy is causing this issue?

> Do you want me to give you those site details as well?
Hm - not really, I have no error with zone assignments. It's you with
the error :)
Verify your site entries against
http://support.microsoft.com/kb/184456
- most probably, some of them do not adhere to the allowed wildcard rules.
Martin
Mal ein
GUTES Buch über GPOs lesen?
NO THEY ARE NOT EVIL, if you know what you are doing:
Good or bad GPOs?
And if IT bothers me - coke bottle design refreshment :))

Error Message when logging on "The Group Policy Client service failed the logon. Access is denied"

Since the move to Windows 7 we have started getting this error above when people login at random times and on random machines, at first we thought it was only a select few users, but now it seems to have occurred to about 20 different Staff members working
at the school. Also of those 20 odd users it has happened to them on a few occasions.
What we know
We know this problem is only occurring to staff with Roaming Profiles, it seems like somehow the profile is not Synchronizing with the Servers File Share that houses the profiles, which causes the NTUSER.DAT file to become corrupt and go from being around
2 – 3 MBs to 256KB (In all cases where a user has had this issue there NTUSER.DAT file has been 256KB)
Current Resolution to the problem
When a staff member contact us with this problem, we fortunately have Previous Versions working on the profiles folder on the server, so we are able to restore their NTUSER.DAT file from 1 to 2 days before it became corrupt, which then seems to allow them
to log on fine
What we have tried so far & suggested so far
After some research on Google, we found the following thread on EduGeek
http://www.edugeek.net/forums/windows-7/78733-windows-7-user-profile-failed-error-again.html#post700415
Which suggested that the problem may lay within registry, so we implemented the Script that was posted on the website, however this has not seemed to make any difference
In the early stages when only 5 – 10 staff seemed to be having the problem, we believed the issue could be with just certain AD accounts. It had not seemed to happen to any recently created AD accounts so we thought it could be a corrupt attribute on
the user so we delete one of the staff AD accounts that had the problem and creating a brand new one, however within about 2 – 3 weeks that staff member had the issue occur again
Leading on from point two, we also thought the problem could be with people using multiple computers, logging on in 2 places and not logging off properly, but unfortunately the staff member referred to in point 2 only uses the one computer in reception.
Another potential cause that we figured might be the route of the problem, was it could be specific computers that are not communicating properly with the server, which could be causing this problem to occur, but we have no real way of testing this,
as the staff generally log onto 3 – 4 different computers throughout the day and in different location
We log a call with EE and they just pointed us to various websites that we had already checked and wasn’t much help.
In Summary
This error has now occurred with about 20 members of staff, we currently only use Windows 7 at our Senior School & Moving to Windows 7 at our Prep School in the Summer
holidays, we would like to find out the route of this problem ideally before then, as we could potentially be doubling the amount of staff with the problem after the move. Has anyone else seen this problem or have a brain wave on how to solve it?
Regards
Andy

Hi Dudleya,
First of all ,I would suggest to check the permissions of the NTUSER.DAT registry hive .Here is a link for reference :
The Group Policy Client service failed the logon. Access is denied(Juke Chou`s answer)
https://social.technet.microsoft.com/Forums/windows/en-US/8c0054a3-35be-4fc4-839c-e2176613eb23/the-group-policy-client-service-failed-the-logon-access-is-denied?forum=w7itpronetworking
Please refer to this link and add the registry keys to have a check .Please backup the registry keys before you made modifications to them.
The Group Policy Client Service Failed The Logon In Windows 8(It should also work on windows 7 )
http://www.thewindowsclub.com/fix-group-policy-client-service-failed-logon-windows-8
If the issue persists ,we can refer to this link to troubleshoot this issue .
Troubleshoot User Profiles with Events(It should also be applied to windows 7 )
https://technet.microsoft.com/en-us/library/jj649075.aspx
NOTE: This response contains a reference to a third party World Wide Web site. Microsoft is providing this information as a convenience to you. Microsoft does not control these sites and has not tested any software or information found on these sites.
Best regards

Group Policy Error

Similar Messages

Maybe you are looking for