Link to home
Start Free TrialLog in
Avatar of jonhagger

asked on

Group Policy error

Anyone comes across the following error message when trying to view the settings tab on a Group Policy object:

An error occurred while generating report:
An unknown error occurred while the HTML report was being created.

I've tested from the PDC and a few other DC's and get the same error. Other GPO's are displaying fine withing the same Domain!

Couldn't seem to find any known articles from MS.

Avatar of tolinrome
Flag of United States of America image

Use Gpotool.exe from the resource kit and see if it gives any errors for that GPO.

Restart IIS Services, see if that helps.
Avatar of jonhagger


Thanks for the update, Ran that from my machine and got the same error for just this GPO. IIS isn't installed on my PC or on the PDC
I dont know if this will help at all but it entails enabling logging to further investigate a problem. Might be worth a look.

Avatar of GUEEN
Flag of United States of America image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
if the report runs fine from another machine, then i would update the particular machine with the latest GPMC, OS, and browser updates,

Good Luck,

The first step is to ensure your AD is replicating properly, do this:
Close out the group policy editor and AD Users/Groups.  Replicate your AD domain controllers using AD Sites & Services.  Try to open your AD Users/Groups and check the policy again.

Ensure that the GPO you are trying to edit actually exists on all of your domain controllers.  GPO files replicate using FRS between domain controllers in the sysvol folder.  See this article explaining the location of GPO files.

If that doesn't work, tryin running GPO tool again and try it on different domain controllers
I also forgot to mention, check your event log for FRS errors!
How very strange! Thanks shekerra.
I have noticed that on my windows XP machine I receive this error, however, when I switch to my vista console which is running the GPO manager with the admx features enabled I'm able to open this report without any errors. If you downloaded this script or received elsewhere be sure its not an admx type script that you can only view and open in Vista's version of GPO manager
When I set the policy to not import Internet Explorer Security Zone and Content Ratings, the report runs fine. Is there a work around?
I have a similar error:
An error occurred while generating report:
Could not load file or assembly 'System, Version=1.0.3300.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' or one of its dependencies. The system cannot find the file specified.

Anyone have any ideas ?
Does anyone have a solution for this i've turned the net upside down for resolution and can't find any and what's mentioned thus far in this article hasn't been useful
You should probably open a new question since jonhagger's Q. is closed and he has accepted an answer.
This worked for me as per accepted solution

If you have a section of the policy that has "import security zones" - switch from 1 to 0 and run report again - this was a little known bug that you can't have both reporting and zone import or the report fails

What exactly do you mean?  Where do we switch from 1 to 0?  I have imported security zone information as part of the Internet Explorer Maintenence section as I need to add some sites to various zones.  I don't understand where switching from 1 to 0 is applicable.

Please advise!  TIA
I have successfully re-produced this symptom on our side with your backup GPO and determined the root cause. The error is caused by an invalid value of level for IE zones in the seczones.inf file that is under %systemroot%\sysvol\domain\Policies\{3F83BF46-F4DE-4CB6-B8D3-63B2C9A16386}\User\microsoft\IEAK\BRANDING\ZONES folder. The file contains the settings in the security zone. Please see the file below:




HKLM,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3",CurrentLevel,0x10001,00,15,01,00


HKCU,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3",CurrentLevel,0x10001,00,15,01,00




The 00011500 (read it from right to left) is the invalid value. If we change it to a valid value, the issue is resolved. You can change it to the one of the following valid value:


·         0x00010000 Low Security

·         0x00010500 Medium Low Security

·         0x00011000 Medium Security

·         0x00012000 High Security


For instance, if you want to change it to 0x00010500, you should write 00,05,01,00. For more information about security zones registry entries, please access the following Kb article:


Description of Internet Explorer security zones registry entries


The detailed steps are provided as follows:


1. On your PDC, browse to the folder %systemroot%\sysvol\domain\Policies\{3F83BF46-F4DE-4CB6-B8D3-63B2C9A16386}\User\microsoft\IEAK\BRANDING\ZONES


2. Use Notepad to edit the seczones.inf file.

3. Locate and make sure to modify the following two fines


HKLM,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3",CurrentLevel,0x10001,00,15,01,00

HKCU,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3",CurrentLevel,0x10001,00,15,01,00


The correct lines should look like:


HKLM,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3",CurrentLevel,0x10001,00,05,01,00

HKCU,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3",CurrentLevel,0x10001,00,05,01,00


4. Save the file. Run the GPMC on PDC to check the issue again.

My new hero!
Just ran into this. The solution about changing values in the seczones.inf file from patadair is the correct one.
I had a similar problem, but the solution was different. Somehow I had three settings that were defined, but not with any settings.  In my case, it was the three Event Log Retention method settings.  The 'Define Policy Setting' was selected, but none of the three buttons were highlighted.  I suspect something got messed up while building the policy using inf files, etc.  Anyway, once I undefined them, all was well and I could view the settings in GPMC.

Thanks dude! Very useful! Worked a treat!
I tried to go with the patadair recommendations, but my domain has plenty of policies and couldn't locate the one I needed;

This is the best SOLUTION:


If you ever run across the following error in Group Policy Management:
An error occurred while generating report:
 An unknown error occurred while the HTML report was being created.
The follow these steps to fix it.

1. Open the Group Policy Management
 2. Go to the Group Policy Object in question, and confirm you have the issue by selecting the “Settings” tab
 3. At this point, if you have the issue, the left hand side should read the above mention error
 4. Edit the GPO, and browse to User Configuration > Windows Settings > Internet Explorer Maintenance > Security > Security Zones and Content Ratings
 5. Change the setting from “Import the current security zones and privacy settings” to “Do not customize security zones and privacy”, then exit out of the GPO editor
 6. Close Group Policy Management MMC, then reopen it
 7. Go back to the GPO in question and click the “Settings” tab
This time your GPO Settings Report should run properly.

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! VERY IMPORTANT !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
      After you are done with exporting that report, make sure you UNDO the above changes - otherwise, you won't be able to deploy trusted IE websites, intranet IE websites to users
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! VERY IMPORTANT !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Source: Source: