[Webinar] Learn how to a build a cloud-first strategyRegister Now


Group Policy failing to update

Posted on 2011-04-18
Medium Priority
Last Modified: 2012-05-11
This domain consists of the following:

1- SBS 2003 SP2 DC
2- Multiple Windows 7 Clients
3- Multiple Windows Vista Clients

The group policy on the domain had been long-hosed by a previous administrator.  I decided that today was the day to resurrect it.

I've made great progress, but I need the Expert's help to get it across the finish line.

I started by utilizing a Microsoft utility to recreate the Default Domain Policy (it had been deleted).  Then I went through and configured the policy as appropriate for our environment.  That policy is now linked and enforced, and is the sole policy affecting the domain.

The policy is applying to my Windows 7 (and Windows Server 2003, Windows Server 2008) machines just fine - with no errors or hesitation.

The User policy applied to Vista just fine.  The Computer policy WILL NOT apply to the Windows Vista machines for anything.

The error reads "Computer policy could not be updated successfully.  The following errors were encountered:  The processing of Group Policy failed.  Windows attempted to read the file \\CCC.local\sysvol\CCC.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful."  The Error is 1058, Code 5 -- which I've read is related to file permissions.

I have read many solutions already, but none have resolved the issue.  What I have tried:  (1) Name resolution to the DC,  (2)  dcdiag,  (3)  permissions on the SYSVOL folder (I can browse to and open the view from a non-admin user account).

What else should I try?  Is there anything significant about the fact that it is working fine on Windows 7 (and 2003, 2008) boxes, but not Vista?

Many thanks!

Robert Patterson
MCSE, MCITP, MCTS, A+, Server+

Question by:Patt5735
  • 5
  • 2
LVL 11

Expert Comment

ID: 35420653
I am sure you have already tried this......but for testing purposes have you tried to login to one of the Vista computers with a domain admin account and push the policy?

Also because this is a domain I am assuming all the Vista computers are successfully attached to the domain with Vista Business Edition?

Author Comment

ID: 35420803
I have tried pushing the policy with a domain admin account, although the eventual solution will obviously have to work apart from administrative privileges.  With a user account I can browse to the SYSVOL folder.

The Vista machines are running Vista Business Edition and are all joined to the domain.
LVL 11

Expert Comment

ID: 35420834
So to clarify your last post does that mean it does work as a domain admin account on the vista computers? or does not?
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 12

Expert Comment

ID: 35420840
Like Patmac say, maybe have you tryed it, but could help.

Have you tryed to get this computer out of the domain, and then add again.

Have you verify gpresult /SCOPE computer /Z to check if GPO is applied to computer account or should be.

I guess you can browse to \\CCC.local\sysvol\CCC.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}, but you can use psexec tool to verify if local system has right in a network share. You can download from sysinternals web site. www.sysinternals.com

Something like

psexec /s cmd /c type \\CCC.local\sysvol\CCC.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini

you should get something like

cmd exited on SERCHLOP-WIN7 with error code 0.


Author Comment

ID: 35420953
So to clarify your last post does that mean it does work as a domain admin account on the vista computers? or does not?

It doesn't work regardless of admin or non-admin.

Have you tryed to get this computer out of the domain, and then add again.

I haven't, but I'm willing to try that.  I'm dealing with a dozen or so machines, so that's not a preferred fix.

Have you verify gpresult /SCOPE computer /Z to check if GPO is applied to computer account or should be.

When I run this on the Vista machine I get a completely different result than I do on my 7 machine.  On the 7 machine, I get the full list of policies.  On the Vista machine, it reports little of nothing -- under Applied Group Policy Objects it says "N/A" and all of the resultant set of policies entries also have "N/A".

Is that because it can't access the GPO, or is there some configuration error in the GPO (related to Vista) that I have missed?

Author Comment

ID: 35421004
PSExec returned "Access is denied" Error Code 1.  Now I'm really confused.  At least the behavior is consistent.  But how do we explain the fact that I can browse to it in Explorer -- but both GPO and PsExec are denied access?

Accepted Solution

Patt5735 earned 0 total points
ID: 35425150
The issue with Group Policy has been resolved by fixing an issue with duplicate SPN entries causing authentication problems.

Author Closing Comment

ID: 35455493
The issue has been resolved.

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

865 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question