Go Premium for a chance to win a PS4. Enter to Win


GPO object missing - how do I clean up ?

Posted on 2013-01-06
Medium Priority
Last Modified: 2013-01-29

W2k3 server problem at login - apparently there is something wrong with the GPOs (missing one or more GPO objects)

(sorry the server in in French locale but I'm sure you get the gist of it
Type de l'événement :	Erreur
Source de l'événement :	Userenv
Catégorie de l'événement :	Aucun
ID de l'événement :	1058
Date :		06.01.2013
Heure :		19:08:06
Ordinateur :	MY-PDC
Description :
Windows ne peut pas accéder au fichier gpt.ini pour l'objet Stratégie de groupes CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System,DC=mydomain,DC=local. Le fichier doit être présent à l'emplacement <\\mydomain.local\sysvol\mydomain.local\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\gpt.ini>. (Le fichier spécifié est introuvable. ).  Le traitement de la stratégie de groupe est interrompu

Open in new window

Basically it would seem some of the gpt.ini files are missing and as such the processing of the GPO can not take place.
My question is what is the best way to solve this ? I can't really locate the offending GPO in the the MMC editor as far as I can tell....
Question by:Alexandre Takacs
  • 4
  • 4
LVL 18

Expert Comment

by:Sarang Tinguria
ID: 38748879
If you have valid sysvol backup the restore the folder named {6AC1786C-016F-11D2-945F-00C04fB984F9} to C:\windows\sysvol\domain.local\policies to same location

How many DC's do you have ?
If only one then follow above method
If multiple then check other DC's sysvol folders if above folder stored on anyother DC if yes then copy the same to culprit server

Author Comment

by:Alexandre Takacs
ID: 38749153

Having two DC (PDC and BDC).

Actually both have the "missing" folder in SYSVOL and it does contains a GPT.INI file...

LVL 18

Expert Comment

by:Sarang Tinguria
ID: 38749188
restore from backup

BTW GPT.ini file reside under GUID folder if the GUID folder is missing then you won't get gpt.ini too..where are you looking at can you provide the path...... also let me know how many GPO's you have configured and how many GUID folders you can see?
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.


Author Comment

by:Alexandre Takacs
ID: 38749219
I have 3 GPOs and 3 GUID folders:
 Le volume dans le lecteur C s'appelle PDC-System
 Le numéro de série du volume est CC56-7B44

 Répertoire de C:\WINDOWS\SYSVOL\domain\Policies

06.01.2013  22:31    <REP>          .
06.01.2013  22:31    <REP>          ..
02.07.2006  22:28    <REP>          {31B2F340-016D-11D2-945F-00C04FB984F9}
02.07.2006  20:26    <REP>          {6AC1786C-016F-11D2-945F-00C04fB984F9}
06.01.2013  13:06    <REP>          {DB7AC36A-A2C6-4937-B8F4-43F4D0F752A4}
               0 fichier(s)                0 octets
               5 Rép(s)  33'718'280'192 octets libres


Open in new window

Note the presence of the supposedly missing GUID...

The bad news is that it seems that this issue is not new and that there is no readily available valid backup for this folder. Will have to dig into offsite archived tapes... Is there any alternative here (I'm happy to ditch that GPO and restart from scratch) ?
LVL 18

Expert Comment

by:Sarang Tinguria
ID: 38749237

Above two folders represents Default Domain policy and default Domain controllers policy and can be recreated with default settings .....using dcgpofix ...as a last sort

Do you have any events in File replication logs I would ask you first perform authoritative restore using below steps if it resolves your issue then its good ...if it doesn't then just run dcgpofix from command line and your DDP and DDCP will be created with default settings

Restore steps:-

first check that you have proper Connection objects has been created in Sites and Services

Browse \\WorkingDC.domain.local copy sysvol & netlogon and keep backup on ProblemDC &  WorkingDC (If can not browse check network connectivity/Port and don't proceed further)

Go to PDC  stop NTFRS service open regedit and go to "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup" change the burflag value to D4 Start NTFRS(File Replication service) service and wait for File Replication event ID 13516 now Go to BDC  stop NTFRS service open regedit go to "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at <samp>Startup" change the burflag value to D2 -> Start NTFRS(File Replication service) service and wait for File Replication event ID 13516 now

Check Now your sysvol and netlogon shares are available

Above is called Authoritive(D4) and non-Authoritive Restore (D2)

Refer http://support.microsoft.com/kb/257338 for more info

Author Comment

by:Alexandre Takacs
ID: 38749267
Thanks - learning more than I expected on NTFRS.

I have decided to go nuclear and to use dcgpofix. However it wont work...


Vous êtes sur le point de restaurer la stratégie de domaine par défaut et la st
atégie par défaut des contrôleurs de domaine du domaine suivant
Voulez-vous continuer: <O/N>? o
AVERTISSEMENT : Cette opération remplacera toutes les "attributions de droits u
ilisateur" exécutées dans les objets de stratégie de groupe choisis. Cela peut
ntraîner l'échec de certaines applications serveur. Voulez-vous continuer: <O/N
? O
Impossible d'ouvrir l'objet Active Directory LDAP://CN={31B2F340-016D-11D2-945F
La restauration a échoué. Consultez les messages précédents pour obtenir plus de


Open in new window

Not happy with the Default Domain policy apparently (can't open object {31B2F340-016D-11D2-945F00C04FB984F9}) ...

Any idea ?
LVL 18

Accepted Solution

Sarang Tinguria earned 1500 total points
ID: 38749290
Before performing below steps run
dcgpofix /ignoreschema if this works then thats great if doesn't you will have to follow output of below technet forum

Output of Technet Forum:-

1. Launch LDP.exe and bind to the DS server you want to modify. Make sure you are
 schema admin.
 2. After connecting and binding navigate to the browse menu and select the "Modify" option.
 3. Leave the DN blank, type 'schemaUpgradeInProgress' into the Attribute field and in the values field type 1.
 4. Click the Add operation and then click the enter button. This will add this command to the entry list.
 5. Click the Run button. If you are successful you should see a successful modify message.
 6. Go to View -> Tree. Connect to the appropriate base DN.
 7. Find the mangled {31B2F340-016D-11D2-945F-00C04FB984F9}, group policy object, right click and select modify
 8. In the attribute field, type "systemflags"
 9. In the Values field, leave it blank
 10. In the operation radio options, select delete
 11. Then click Enter, then click Run to remove the system flags values
 12. Once the systemflags value is removed, we can rename the {31B2F340-016D-11D2-945F-00C04FB984F9}, object using LDAP and create another groupPolicyContainer Object using ADSIEdit and create User and Machine Container objects within it.
 13. Run dcgpofix /target:domain.
 14. Now we can restore the value of systemflags to the default value for a system owned object.
 15. Using LDP, restore the value of 'schemaUpgradeInProgress' value back to the default of 0.
++After that we were able to link the restore the default domain policy to the domain.

Referred from http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/83be0512-6163-4cd0-a676-9447afce6e77

Author Comment

by:Alexandre Takacs
ID: 38833953
I finally managed to repair my AD by recreating some missing entries manually. Fortunately I had another very similar setup so I could infer the values to enter from it.

Featured Post

Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question