GPO object missing - how do I clean up ?

Posted on 2013-01-06
Last Modified: 2013-01-29

W2k3 server problem at login - apparently there is something wrong with the GPOs (missing one or more GPO objects)

(sorry the server in in French locale but I'm sure you get the gist of it
Type de l'événement :	Erreur
Source de l'événement :	Userenv
Catégorie de l'événement :	Aucun
ID de l'événement :	1058
Date :		06.01.2013
Heure :		19:08:06
Ordinateur :	MY-PDC
Description :
Windows ne peut pas accéder au fichier gpt.ini pour l'objet Stratégie de groupes CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System,DC=mydomain,DC=local. Le fichier doit être présent à l'emplacement <\\mydomain.local\sysvol\mydomain.local\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\gpt.ini>. (Le fichier spécifié est introuvable. ).  Le traitement de la stratégie de groupe est interrompu

Open in new window

Basically it would seem some of the gpt.ini files are missing and as such the processing of the GPO can not take place.
My question is what is the best way to solve this ? I can't really locate the offending GPO in the the MMC editor as far as I can tell....
Question by:Alexandre Takacs
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
LVL 18

Expert Comment

by:Sarang Tinguria
ID: 38748879
If you have valid sysvol backup the restore the folder named {6AC1786C-016F-11D2-945F-00C04fB984F9} to C:\windows\sysvol\domain.local\policies to same location

How many DC's do you have ?
If only one then follow above method
If multiple then check other DC's sysvol folders if above folder stored on anyother DC if yes then copy the same to culprit server

Author Comment

by:Alexandre Takacs
ID: 38749153

Having two DC (PDC and BDC).

Actually both have the "missing" folder in SYSVOL and it does contains a GPT.INI file...

LVL 18

Expert Comment

by:Sarang Tinguria
ID: 38749188
restore from backup

BTW GPT.ini file reside under GUID folder if the GUID folder is missing then you won't get gpt.ini too..where are you looking at can you provide the path...... also let me know how many GPO's you have configured and how many GUID folders you can see?
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why


Author Comment

by:Alexandre Takacs
ID: 38749219
I have 3 GPOs and 3 GUID folders:
 Le volume dans le lecteur C s'appelle PDC-System
 Le numéro de série du volume est CC56-7B44

 Répertoire de C:\WINDOWS\SYSVOL\domain\Policies

06.01.2013  22:31    <REP>          .
06.01.2013  22:31    <REP>          ..
02.07.2006  22:28    <REP>          {31B2F340-016D-11D2-945F-00C04FB984F9}
02.07.2006  20:26    <REP>          {6AC1786C-016F-11D2-945F-00C04fB984F9}
06.01.2013  13:06    <REP>          {DB7AC36A-A2C6-4937-B8F4-43F4D0F752A4}
               0 fichier(s)                0 octets
               5 Rép(s)  33'718'280'192 octets libres


Open in new window

Note the presence of the supposedly missing GUID...

The bad news is that it seems that this issue is not new and that there is no readily available valid backup for this folder. Will have to dig into offsite archived tapes... Is there any alternative here (I'm happy to ditch that GPO and restart from scratch) ?
LVL 18

Expert Comment

by:Sarang Tinguria
ID: 38749237

Above two folders represents Default Domain policy and default Domain controllers policy and can be recreated with default settings .....using dcgpofix a last sort

Do you have any events in File replication logs I would ask you first perform authoritative restore using below steps if it resolves your issue then its good ...if it doesn't then just run dcgpofix from command line and your DDP and DDCP will be created with default settings

Restore steps:-

first check that you have proper Connection objects has been created in Sites and Services

Browse \\WorkingDC.domain.local copy sysvol & netlogon and keep backup on ProblemDC &  WorkingDC (If can not browse check network connectivity/Port and don't proceed further)

Go to PDC  stop NTFRS service open regedit and go to "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup" change the burflag value to D4 Start NTFRS(File Replication service) service and wait for File Replication event ID 13516 now Go to BDC  stop NTFRS service open regedit go to "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at <samp>Startup" change the burflag value to D2 -> Start NTFRS(File Replication service) service and wait for File Replication event ID 13516 now

Check Now your sysvol and netlogon shares are available

Above is called Authoritive(D4) and non-Authoritive Restore (D2)

Refer for more info

Author Comment

by:Alexandre Takacs
ID: 38749267
Thanks - learning more than I expected on NTFRS.

I have decided to go nuclear and to use dcgpofix. However it wont work...


Vous êtes sur le point de restaurer la stratégie de domaine par défaut et la st
atégie par défaut des contrôleurs de domaine du domaine suivant
Voulez-vous continuer: <O/N>? o
AVERTISSEMENT : Cette opération remplacera toutes les "attributions de droits u
ilisateur" exécutées dans les objets de stratégie de groupe choisis. Cela peut
ntraîner l'échec de certaines applications serveur. Voulez-vous continuer: <O/N
? O
Impossible d'ouvrir l'objet Active Directory LDAP://CN={31B2F340-016D-11D2-945F
La restauration a échoué. Consultez les messages précédents pour obtenir plus de


Open in new window

Not happy with the Default Domain policy apparently (can't open object {31B2F340-016D-11D2-945F00C04FB984F9}) ...

Any idea ?
LVL 18

Accepted Solution

Sarang Tinguria earned 500 total points
ID: 38749290
Before performing below steps run
dcgpofix /ignoreschema if this works then thats great if doesn't you will have to follow output of below technet forum

Output of Technet Forum:-

1. Launch LDP.exe and bind to the DS server you want to modify. Make sure you are
 schema admin.
 2. After connecting and binding navigate to the browse menu and select the "Modify" option.
 3. Leave the DN blank, type 'schemaUpgradeInProgress' into the Attribute field and in the values field type 1.
 4. Click the Add operation and then click the enter button. This will add this command to the entry list.
 5. Click the Run button. If you are successful you should see a successful modify message.
 6. Go to View -> Tree. Connect to the appropriate base DN.
 7. Find the mangled {31B2F340-016D-11D2-945F-00C04FB984F9}, group policy object, right click and select modify
 8. In the attribute field, type "systemflags"
 9. In the Values field, leave it blank
 10. In the operation radio options, select delete
 11. Then click Enter, then click Run to remove the system flags values
 12. Once the systemflags value is removed, we can rename the {31B2F340-016D-11D2-945F-00C04FB984F9}, object using LDAP and create another groupPolicyContainer Object using ADSIEdit and create User and Machine Container objects within it.
 13. Run dcgpofix /target:domain.
 14. Now we can restore the value of systemflags to the default value for a system owned object.
 15. Using LDP, restore the value of 'schemaUpgradeInProgress' value back to the default of 0.
++After that we were able to link the restore the default domain policy to the domain.

Referred from

Author Comment

by:Alexandre Takacs
ID: 38833953
I finally managed to repair my AD by recreating some missing entries manually. Fortunately I had another very similar setup so I could infer the values to enter from it.

Featured Post

[Webinar] Learn How Hackers Steal Your Credentials

Do You Know How Hackers Steal Your Credentials? Join us and Skyport Systems to learn how hackers steal your credentials and why Active Directory must be secure to stop them. Thursday, July 13, 2017 10:00 A.M. PDT

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

632 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question