I updated a firewall related GPO on a few servers and noticed the port wasn't configured on one of the servers even after rebooting.  I checked the other servers and the new settings were applied successfully.

There error message is pointing towards there being a replication error on a domain controller, but that makes no sense because only one system has this issue and they are all identical Server 2012 R2 Hyper-V machines on a Server 2008 AD domain.

There is network connectivity because I can log in with a new domain user profile and ping all of the domain controllers.

When I try to do gpupdate /force it fails on this server.  When I run the same command on other servers, the gpupdate completes successfully. 

I logged into a domain controller and verified that I could connect to all the other domain controllers and that was successful.

This makes me think the problem is on the client server and not any of the domain controllers, however this is what the error from gpupdate /force command says:

The processing of Group Policy failed. Windows attempted to read the file \\domainname.com\SysVol\domainname.com\Policies\{XXXXXXXX-XXXX-XXXX}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:

a) Name Resolution/Network Connectivity to the current domain controller.

b) File Replication Service Latency (a file created on another domain controller

has not replicated to the current domain controller).

c) The Distributed File System (DFS) client has been disabled.

User Policy update has completed successfully.

==================================================================

I don't see any DFS client on the server (we are not using DFS anyway).

It is saying it cannot read policies on a domain controller, however every other system I checked seems to have no problem reading the same policies.

What could cause this problem on a single server?

During our migration process from Windows Server 2008 R2 to Windows Server 2012 for all of our DC's, I've noticed a problem with the Default Domain Controller Policy.  I can edit this policy from any domain-joined computer running Windows 7 or Windows Server 2008 R2 (and probably earlier versions).  However, I can't edit it via Windows 8 or Windows Server 2012.

Here's the error message I receive:

Failed to open the Group Policy Object.  You might not have the appropriate rights.

Details: The volume for a file has been externally altered so that the opened file is no longer valid.

• This AD domain has been gradually upgraded since its original introduction Windows 2000 Server.
• I'm a Domain Admin and Enterprise Admin.
• I've triple-checked the ACL for this GPO, even going through every property of each entry, and it is exactly as it should be.
• I've verified that all the standard files and folders for the GPO are in the correct location.
• DFS-R is being used for sysvol replication.
• The policy applies correctly, even to Windows Server 2012 domain controllers.
• As mentioned, I can edit the policy without a problem from earlier versions of Windows.
• This problem does not apply to the Default Domain Policy.  Both of these default policies have the proper UUID.
• This problem occurs regardless of which DC I'm connected to via the GPO editor.
• dcdiag /c passes all tests.

I'm stumped!  Any suggestions?

We have a Windows Server 2012 R2 64-bit as a domain controller

The workstations are Windows 7 Pro 64 bit

We need to install a driver that is not digitally signed on a Windows 7 workstation part of the Network Domain.

I believe the Server will enforce the Group Policy and will not allow this to happen. How do we disable the enforcement of this Policy.

Your help is appreciated.

Regards, Guido

Guido Zelenka

Dear All,

We have AD on Windows 2008 R2 and having Windows XP and Windows 7 user OS in our environment. Now to implement standard practice, we want to implement same desktop wallpaper (might be plain background with company logo or message of day) to all desktop using GPO. So as soon as users logins to AD, they get same desktop wallpaper on screen.

We implemented the same using GPO and working fine until and unless we have 1280 x 720 screen resolutions (My .JPEG file is having 1280 x 683 size), but not other computer which has different resolution and monitor. 

So please let me know the way to set desktop wallpaper automatically as per user desktop/laptop resolutions like MS Windows wallpaper looks on all system.

I came across an interesting issue today that I don't full understand.  Note this occurs in a lab environment for students.

On a Server2012R2 server, we have deployed a printer via group policy.  It would not show up on other Server2012R2 servers under devices and printers, even though gpresult showed it as deployed.  After doing some researching, I found that DNS and Netbios name had been brought up a lot with the error "Windows cannot connect to the printer."

I changed the Server names to something less than the 15 character netbios max length.  After doing so, it all started working.  The thing is I don't understand why.  Does Netbios play a role in group policy deployment?  Why would deployment fail based on the length of the machine name?  Any thoughts are much appreciated.

Thank you.

Hi Techies,

I have strange issue with my one of my domain group policy users.

1) Users complained saying desktop items are not there .

2) When i checked it desktop items were not there in %logonserver%\netlogon\GP_Fld_Redirection\abc\desktop\

3) There was no issue with the GP setting.

4) After restoring desktop items from backup, Desktop Items were visible

Now the question are as folllows

• How to check who has deleted or removed desktop items from that location.
• How to see the audit logs for sysvol folder. When i checked in event viewer with 4660 event id nothing found.
• Is sysvold folder will have by default delete object audit policy enabled
• In DC default domain policy enable for Failure and Success for Object access.
• I even checked with Event 5143 ID. but no luck  
• Now i have to submit Root cause analysis report. Please help me.

With Regards, Raviraj Nagenhatti - System Administrator

Hi there,

When booting a Windows 10 machine (Lenovo laptop) GPOs are not loaded. Of course I can apply them later on via gpupdate /force.

When I have a look into the system log I get always an error in there with the ID 1058. Checking the error code in the details says: Network access is denied (error code 65).

It tries to access a gpt.ini file from the policies but does not get through.

When I restart the computer, click the link in the error message I get an error that the file cannot be accessed. Nevertheless after about 30 seconds the access to the file just works.

For me it seems that there is a service pending start which is needed for the domain access. I bet it has to do with DFS as the GPO access works via DFS path(namespace).

This is quite annoying as the machine policies are not loaded neither the user policies.

Here the details from the error message:

Log Name:      System

Source:        Microsoft-Windows-GroupPolicy

Date:         10.9.2015 13.19.02

Event ID:      1058

Task Category: None

Level:        Error

Keywords:     

User:         xxxxxxx\xxxxxxx

Computer:      xxxxxxxxxxxxxxxxxxxxxxxxxxxx

Description:

The processing of Group Policy failed. Windows attempted to read the file \\my.domain.com\SysVol\my.domain.com\Policies\{3933BE19-C3FF-4C22-9434-B64C654C8B06}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:

a) Name Resolution/Network Connectivity to the current domain controller.

b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).

c) The Distributed File System (DFS) client has been disabled.

Event Xml:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

  <System>

    <Provider Name="Microsoft-Windows-GroupPolicy" Guid="{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}" />

    <EventID>1058</EventID>

    <Version>0</Version>

    <Level>2</Level>

    <Task>0</Task>

    <Opcode>1</Opcode>

    <Keywords>0x8000000000000000</Keywords>

    <TimeCreated SystemTime="2015-09-10T10:19:02.977910800Z" />

    <EventRecordID>1318</EventRecordID>

    <Correlation ActivityID="{9C0C77C4-AFC1-4A0E-9BFE-BE698091D73C}" />

    <Execution ProcessID="932" ThreadID="3588" />

    <Channel>System</Channel>

    <Computer>xxxxxxxxxxxxxxxxxxx</Computer>

    <Security UserID="S-1-5-21-1410795398-2781916069-518169928-1178" />

  </System>

  <EventData>

    <Data Name="SupportInfo1">4</Data>

    <Data Name="SupportInfo2">912</Data>

    <Data Name="ProcessingMode">1</Data>

    <Data Name="ProcessingTimeInMilliseconds">421</Data>

    <Data Name="ErrorCode">65</Data>

    <Data Name="ErrorDescription">Network access is denied. </Data>

    <Data Name="DCName">\\xxxxxxxxxxxxxxxxxxxxxxxxxxx</Data>

    <Data Name="GPOCNName">cn={3933BE19-C3FF-4C22-9434-B64C654C8B06},cn=policies,cn=system,DC=xxx,DC=xxxxxxxx,DC=xxxxx</Data>

    <Data Name="FilePath">\\my.domain.com\SysVol\my.domain.com\Policies\{3933BE19-C3FF-4C22-9434-B64C654C8B06}\gpt.ini</Data>

  </EventData>

</Event>

After re-installing our custom image of Windows 8.1 Pro to a Lenovo Yoga 11e, updating Windows 8.1 Pro, getting on our domain (which is Windows Server Data Center 2012 R2 and we suspect it to possibly be a wrong group policy), and possibly some other step (which could possibly be downloading apps from our Software Center but who knows at this point) we have an issue where the tiles in the start menu do not work. They are refusing to come up, load, turn on, boot up, or whatever you call it. They do their little flippy thing and then it takes me right back to the start menu. Looking at the Event Viewer (Applications and Services\Microsoft\Windows\Apps\Microsof-Windows-TWinUI) I get the error of

"The app microsoft.windowscommunicationsapps_Microsoft.WindowsLive.Mail's package family (microsoft.windowscommunicationsapps) has more than one package installed. This is not supported, so the app was not activated for the Windows.Launch contract."

This is the error that shows up after I click on "Mail" at the start menu a million times. So then I do more research and the fix is to go to "REGEDIT.exe" and navigate to  "HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Repository\Families\microsoft.windowscommunicationsapps" and delete the duplicates. This solves the issue. But my million dollar question here is why does this specific issue happen and how do we prevent it in the future? We have thousands of laptops and for this issue to persist, this fix really isn't going to cut it.

Hi all,

Hi all, 

several 2012 domain controllers on multiple sites. 

2012 domain functional level. 

One of my domain controllers has an inaccessible SYSVOL folder its also carrying all FSMO roles. When I looked at the status window (in group policy management) it shows the baseline controller has moved to another DC and the DC I would expect to be the baseline holder is showing as Inaccessible. 

DCDIAG REPLadmin shows no replication errors at all. 

Ive noticed that the issue isnt with replication. I can create new policies and they get replicated. But ive noticed that If i delete a GPO from the GUI the corresponding folder in the sysvol isnt being deleted.

matt barnes

I want to create a new password policy in the domain, but i don't want to apply it on the whole domain one time i.e: I want to apply it on different OUs (today on IT OU the next day finance ...etc)

My questions are :

1) as the password policies are in computer configuration should i move the computer accounts of the targeted users from computers container to their OU to apply  the policy or will it be enough to move the users only?

2) should i create a linked policy for each ou or what??

Thanks

Hi, our security groups is a member of local administrators on all servers, we want to prevent them from restarting or shutting down any servers. it would be ideal if all they say was logoff when they were on a server.

if we define this group in a GP and configure Remove and prevent access to the shutdown, restart, sleep, and hibernate commands, will this also restrict the users on their desktops as well as servers?

thx,

jason

Currently I have problem with my GPO, I have a Windows Server 2012 as DC and a Workstation that using Windows 8, I'veconfigure the Home Folder Path in Default Domain Policy (\\DCSERVER\Home), this folder has security and shared permission to Domain Admins and Domain Users for Read/Write. When I tried to logon as user which belongs to Domain Admins, the home folder was created but when I tried with Domain Users, the home folder wasn't created. How to fix this problem?

Thanks in advance.

Hi, currently in the user logon screen there is power button that consists of:

• Hibernate
• Restart
• Shutdown

I know how to remove all of these options via Group Policy, but how to remove just Shutdown option, so it should look like this:

• Hibernate
• Restart

Is it possible?

I have some GPOs that I apply to all my servers, one of which sets up a few global service accounts with the "Logon as a Service" right.  The problem is that if I apply this GPO to a server that already has custom entries in there (like any SQL Server with the "NT SERVER\*" accounts) those existing entries are deleted when the GPO is applied.

I need the GPO to simply ADD the names of my service accounts without deleting whatever is there.

I read about "loop-back" processing and "merge vs replace" but this appears to only affect "User Configuration".  The GPO setting in question is under Computer Configuration/Policies/Windows Settings/Security Settings/Local Policies/User Rights Assignment.

Like I said, my current show-stopping issue is my SQL servers, which all have server-specific accounts that have been granted the "log on as service" rights during the installation of SQL Server.  If I apply this policy, SQL Server services are no longer able to start on the server.  Obviously I can't add server-specific accounts to my GPO--the list would become unmanageable almost immediately.

How do I make this policy ADDITIVE instead of DESTRUCTIVE?  Any ideas would be appreciated!

Hi Everyone !

Im having some problems with folder redirection in my organization Recently

We have A GPO That Redirects everyone's Desktop And Profile folders into a share in the network so everyone gets the same desktop and the other profile folder are kept in a dfs Share .

Recently some windows 7 workstations are failing to process this gpo because the following reason :


Failed to apply policy and redirect folder "Desktop" to \\Domain\Netlogon\Desktop
Redirection operation=0x9000
The following error occured: "Can not create folder" "\\Domain\Netlogon\Desktop"                                                                           Error Details: "The specified network name is no longer available"

#when i try to enter both of the shares from any of these workstation it works fine and it seems to be that only the folder redirection component cannot access the shares

#the policy works in other domain computers so i know that its configured fine

#All permmisions on shares and ntsf have been checked and configured 

#Firewall is checked and there is no drops

on the Gpsvc.log i found an error at the folder redirection proccesing

"Extension Folder Redirection OriccessGroupPOlicy Failed, status 0x3eb"

in addition, there is this error that keeps showing up all over the log :

CExtSessionLogger::Delete: Failed to DeleteInstance with 0x80041002

any suggestions ? does anyone ever saw those errors ?

Hello all.

I have enabled user config\windows settings\IE Maintenance\Connection to Auto detect and Enable Auto Config and I've specified a PAC file in the automatic proxy URL field. For some reason, it is not being applied when the user logs in.  She is receiving other parts of the policy (for example, the DISABLE THE CONNECTION tab is enabled so they cant access and change the PAC file).

Any idea what would be preventing this one setting from being applied?  When I run the Group Policy Results tool from the GP Management console,  it doesn't come up. Its as if the setting is not even enabled.

thank you!

Hello,

I hope I have a simple question, I am running windows 2008R2.  I have a policy that may be giving me a problem, I want to disable the policy for a short time to test and then enable again.  I don't have much experance with Policy so I want to make sure that what I am doing can be undone.

I noticed in Group Policy editor when I am in Group Policy Objects and if I highlight a GP under details there is an option called GPO Status.  In that I can choose to do the following

All Setting disabled

Computer Configuratoin setting disabled

Enabled

User configuration settings disabled

From the above list I believe I can click on All settings Disabled and that will disable the GP and I can test and then I can enable it again.

I also believe that I will need to do a GPupdate /force on my DC and the server in question

this seems the simplest way to check disable the policy test if it fixes the problem then I know that it is a policy issue I can then enable it again and look further into the problem if it does not fix the issue then I know that it may not be a policy issue and something else.  FYI: this is not any of the default policy

If this is correct or incorrect and if there are any other things that I need to know I would appreciate the help.

Thanks

Adam Raff