Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


GPO object missing - how do I clean up ?

Posted on 2013-01-06
Medium Priority
Last Modified: 2013-01-29

W2k3 server problem at login - apparently there is something wrong with the GPOs (missing one or more GPO objects)

(sorry the server in in French locale but I'm sure you get the gist of it
Type de l'événement :	Erreur
Source de l'événement :	Userenv
Catégorie de l'événement :	Aucun
ID de l'événement :	1058
Date :		06.01.2013
Heure :		19:08:06
Ordinateur :	MY-PDC
Description :
Windows ne peut pas accéder au fichier gpt.ini pour l'objet Stratégie de groupes CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System,DC=mydomain,DC=local. Le fichier doit être présent à l'emplacement <\\mydomain.local\sysvol\mydomain.local\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\gpt.ini>. (Le fichier spécifié est introuvable. ).  Le traitement de la stratégie de groupe est interrompu

Open in new window

Basically it would seem some of the gpt.ini files are missing and as such the processing of the GPO can not take place.
My question is what is the best way to solve this ? I can't really locate the offending GPO in the the MMC editor as far as I can tell....
Question by:Alexandre Takacs
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
LVL 18

Expert Comment

by:Sarang Tinguria
ID: 38748879
If you have valid sysvol backup the restore the folder named {6AC1786C-016F-11D2-945F-00C04fB984F9} to C:\windows\sysvol\domain.local\policies to same location

How many DC's do you have ?
If only one then follow above method
If multiple then check other DC's sysvol folders if above folder stored on anyother DC if yes then copy the same to culprit server

Author Comment

by:Alexandre Takacs
ID: 38749153

Having two DC (PDC and BDC).

Actually both have the "missing" folder in SYSVOL and it does contains a GPT.INI file...

LVL 18

Expert Comment

by:Sarang Tinguria
ID: 38749188
restore from backup

BTW GPT.ini file reside under GUID folder if the GUID folder is missing then you won't get gpt.ini too..where are you looking at can you provide the path...... also let me know how many GPO's you have configured and how many GUID folders you can see?
10 Questions to Ask when Buying Backup Software

Choosing the right backup solution for your organization can be a daunting task. To make the selection process easier, ask solution providers these 10 key questions.


Author Comment

by:Alexandre Takacs
ID: 38749219
I have 3 GPOs and 3 GUID folders:
 Le volume dans le lecteur C s'appelle PDC-System
 Le numéro de série du volume est CC56-7B44

 Répertoire de C:\WINDOWS\SYSVOL\domain\Policies

06.01.2013  22:31    <REP>          .
06.01.2013  22:31    <REP>          ..
02.07.2006  22:28    <REP>          {31B2F340-016D-11D2-945F-00C04FB984F9}
02.07.2006  20:26    <REP>          {6AC1786C-016F-11D2-945F-00C04fB984F9}
06.01.2013  13:06    <REP>          {DB7AC36A-A2C6-4937-B8F4-43F4D0F752A4}
               0 fichier(s)                0 octets
               5 Rép(s)  33'718'280'192 octets libres


Open in new window

Note the presence of the supposedly missing GUID...

The bad news is that it seems that this issue is not new and that there is no readily available valid backup for this folder. Will have to dig into offsite archived tapes... Is there any alternative here (I'm happy to ditch that GPO and restart from scratch) ?
LVL 18

Expert Comment

by:Sarang Tinguria
ID: 38749237

Above two folders represents Default Domain policy and default Domain controllers policy and can be recreated with default settings .....using dcgpofix a last sort

Do you have any events in File replication logs I would ask you first perform authoritative restore using below steps if it resolves your issue then its good ...if it doesn't then just run dcgpofix from command line and your DDP and DDCP will be created with default settings

Restore steps:-

first check that you have proper Connection objects has been created in Sites and Services

Browse \\WorkingDC.domain.local copy sysvol & netlogon and keep backup on ProblemDC &  WorkingDC (If can not browse check network connectivity/Port and don't proceed further)

Go to PDC  stop NTFRS service open regedit and go to "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup" change the burflag value to D4 Start NTFRS(File Replication service) service and wait for File Replication event ID 13516 now Go to BDC  stop NTFRS service open regedit go to "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at <samp>Startup" change the burflag value to D2 -> Start NTFRS(File Replication service) service and wait for File Replication event ID 13516 now

Check Now your sysvol and netlogon shares are available

Above is called Authoritive(D4) and non-Authoritive Restore (D2)

Refer for more info

Author Comment

by:Alexandre Takacs
ID: 38749267
Thanks - learning more than I expected on NTFRS.

I have decided to go nuclear and to use dcgpofix. However it wont work...


Vous êtes sur le point de restaurer la stratégie de domaine par défaut et la st
atégie par défaut des contrôleurs de domaine du domaine suivant
Voulez-vous continuer: <O/N>? o
AVERTISSEMENT : Cette opération remplacera toutes les "attributions de droits u
ilisateur" exécutées dans les objets de stratégie de groupe choisis. Cela peut
ntraîner l'échec de certaines applications serveur. Voulez-vous continuer: <O/N
? O
Impossible d'ouvrir l'objet Active Directory LDAP://CN={31B2F340-016D-11D2-945F
La restauration a échoué. Consultez les messages précédents pour obtenir plus de


Open in new window

Not happy with the Default Domain policy apparently (can't open object {31B2F340-016D-11D2-945F00C04FB984F9}) ...

Any idea ?
LVL 18

Accepted Solution

Sarang Tinguria earned 1500 total points
ID: 38749290
Before performing below steps run
dcgpofix /ignoreschema if this works then thats great if doesn't you will have to follow output of below technet forum

Output of Technet Forum:-

1. Launch LDP.exe and bind to the DS server you want to modify. Make sure you are
 schema admin.
 2. After connecting and binding navigate to the browse menu and select the "Modify" option.
 3. Leave the DN blank, type 'schemaUpgradeInProgress' into the Attribute field and in the values field type 1.
 4. Click the Add operation and then click the enter button. This will add this command to the entry list.
 5. Click the Run button. If you are successful you should see a successful modify message.
 6. Go to View -> Tree. Connect to the appropriate base DN.
 7. Find the mangled {31B2F340-016D-11D2-945F-00C04FB984F9}, group policy object, right click and select modify
 8. In the attribute field, type "systemflags"
 9. In the Values field, leave it blank
 10. In the operation radio options, select delete
 11. Then click Enter, then click Run to remove the system flags values
 12. Once the systemflags value is removed, we can rename the {31B2F340-016D-11D2-945F-00C04FB984F9}, object using LDAP and create another groupPolicyContainer Object using ADSIEdit and create User and Machine Container objects within it.
 13. Run dcgpofix /target:domain.
 14. Now we can restore the value of systemflags to the default value for a system owned object.
 15. Using LDP, restore the value of 'schemaUpgradeInProgress' value back to the default of 0.
++After that we were able to link the restore the default domain policy to the domain.

Referred from

Author Comment

by:Alexandre Takacs
ID: 38833953
I finally managed to repair my AD by recreating some missing entries manually. Fortunately I had another very similar setup so I could infer the values to enter from it.

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question