Group Policy error on Windows7 client attached to SBS 2003R server / DC

Posted on 2011-10-12
Last Modified: 2012-05-12
Something has happened to one of the Windows7 clients on my business network, controlled by an SBS 2003 R2 domain controller. No user can print and my Administrator can't successfully run "mstsc /v:servername /admin". Symanted Endpoint Client can't synchronise with Symantec Protection Centre (which is on the SBS) but I users can acess the intra and internet and Email works fine.

Running "gpupdate /force" generates the following error.

The major difference between the computer with this problem and the rest of the clients is that they are all identical HP desktops and this particular client is my only high power workstation (which is business critical!).

Any help gratefully received.

From the event log...

The processing of Group Policy failed. Windows could not evaluate the Windows Management Instrumentation (WMI) filter for the Group Policy object CN={8A63E61B-F255-424D-88D7-4D984C213992},CN=Policies,CN=System,DC=HomeNet,DC=local. This could be caused by RSOP being disabled  or Windows Management Instrumentation (WMI) service being disabled, stopped, or other WMI errors. Make sure the WMI service is started and the startup type is set to automatic. New Group Policy objects or settings will not process until this event has been resolved.

From event log the details for this are...


  - Provider

   [ Name]  Microsoft-Windows-GroupPolicy
   [ Guid]  {AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}
   EventID 1065
   Version 0
   Level 2
   Task 0
   Opcode 1
   Keywords 0x8000000000000000
  - TimeCreated

   [ SystemTime]  2011-10-12T17:34:03.528320300Z
   EventRecordID 21183
  - Correlation

   [ ActivityID]  {0E7F5C6E-DD77-47E7-AE76-B236144DA0CE}
  - Execution

   [ ProcessID]  1524
   [ ThreadID]  2644
   Channel System
   Computer Jupiter.HomeNet.local
  - Security

   [ UserID]  S-1-5-21-1043698462-2783909157-1450187183-1151

- EventData

  SupportInfo1 4
  SupportInfo2 631
  ProcessingMode 1
  ProcessingTimeInMilliseconds 1141
  ErrorCode 2147749890
  DCName \\saturn.HomeNet.local
  GPOCNName CN={8A63E61B-F255-424D-88D7-4D984C213992},CN=Policies,CN=System,DC=HomeNet,DC=local
Question by:MarcusN

    Author Comment

    I forgot to mention that I have a single OU and that the workstation with the problem is listed in the same place as all the other computers on the network.
    LVL 28

    Expert Comment


    Author Comment

    I have run winmgmt /verifyrepository, as the link suggests, and the WMI repository on the Windows7 client is "consistent".

    I've also run the command on other Windows7 clients and they also are consistent.

    This command does not work on the SBS 2003 R2 server. Do I need to check consistency on the server to resolve issues with this particular client machine?

    Is there any way that simply deleting the group policy will allow me to run a successful gpuodate ?
    LVL 28

    Accepted Solution

    I believe its a client problem, the command won't run on XP/Windows 2003.

    First determine which poicy is causing the problem: open a command prompt on your server and run

    dsquery * dc=your,dc=domain -filter
    "&(objectClass=groupPolicyContainer)(name={8A63E61B-F255-424D-88D7-4D984C213992})" -attr displayname

    This woud display the name of the failing policy.
    Then open the Group Policy Management console and locate this policy. Look at the WMI filter part. Maybe you can paste the content of the filter here

    LVL 28

    Expert Comment

    I'd rather not delete the policy without knowing what it does, especially in a SBS environment.

    Author Comment

    OK, I found the policy in GPMC. It had a WMI filter on it which was "PreSP2" which I presume relates to XP pre Service Pack 2. I have no XP clients any longer. So, I set the filter to <none> and re-ran gpupdate on the client.

    I received an error for a different policy and found that one which also had a WMI filter which was "SP2" and I also set that to <none> and ran gpupdate again. This time there was another error and it too had a WMI filter which was "Vista" which I also set to <none>.

    Now when I run gpupdate /force the update is successful. All the filters related to Windows Firewall and, as I use ISA firewall, and that's working well, I didn't worry too much about resetting these WMI filters. (Perhaps that's wrong...)

    However, the problem I need to fix (I can't access a network printer and I can't mstsc to the server or anything else and my SEP client is not functioning properly) persists still. I seem to have dealt with some GPO and WMI matters but not solved the problem that I wanted to.

    Author Comment

    The problem was a conflict between Symantec Endpoint Protection and PCTools Spyware Doctor (I routinely ran 2 spyware/malware programmes in the past without any problem).

    The GPO in Windows7 is configured differently from those in XP and I can't run both of these applications simultaneously.

    I chose to uninstall Spyware Doctor and all is now fine.

    Author Closing Comment

    The problem needed to be resolved by trial and error but the GPO did highlight the conflict between applications.
    LVL 28

    Expert Comment

    The problem now is, the poilcies designed for Vista/Windows XP now get applied to Windows 7. If you do not have any XP/Vista clients, rather disable the erroring GPOs. I still wonder why the WMI filter doesn't work on WIn 7....

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    #Citrix #Citrix Netscaler #HTTP Compression #Load Balance
    Let’s list some of the technologies that enable smooth teleworking. 
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    10 Experts available now in Live!

    Get 1:1 Help Now