1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

GPOs not Applying

Discussion in 'Windows Server' started by parrot1553, May 11, 2017.

Advertisement
  1. parrot1553

    parrot1553 Thread Starter

    Joined:
    May 11, 2017
    Messages:
    8
    Hello,

    I have a few GPOs linked into OUs,but none of them apply.If I run gpresult /r on one of the client computers I get this:



    The processing of Group Policy failed. Windows could not apply the registry-base
    d policy settings for the Group Policy object LDAP://CN=User,cn={FDF06D2C-782F-4
    498-8A4C-18342880CFC2},cn=policies,cn=system,DC=gimo,DC=local. Group Policy sett
    ings will not be resolved until this event is resolved. View the event details f
    or more information on the file name and path that caused the failure.
    Computer policy could not be updated successfully. The following errors were enc
    ountered:

    The processing of Group Policy failed. Windows could not evaluate the Windows Ma
    nagement Instrumentation (WMI) filter for the Group Policy object cn={EAF42392-3
    29D-4219-81F7-A17F1F64E499},cn=policies,cn=system,DC=gimo,DC=local. This could b
    e caused by RSOP being disabled or Windows Management Instrumentation (WMI) ser
    vice being disabled, stopped, or other WMI errors. Make sure the WMI service is
    started and the startup type is set to automatic. New Group Policy objects or se
    ttings will not process until this event has been resolved.
    [​IMG]
    [​IMG]





    How can I solve this?

    Thanks
     
  2. Sponsor

  3. lochlomonder

    lochlomonder

    Joined:
    Jul 24, 2015
    Messages:
    1,395
    Have a look here first and foremost. Also, try running gpupdate /force from the CLI and see what feedback this gives you. It's also worthwhile checking in the Event Viewer system log of an affected workstation, after running that command, to see if it'll shed any more light on the matter for you.
     
  4. parrot1553

    parrot1553 Thread Starter

    Joined:
    May 11, 2017
    Messages:
    8
    sorry I meant gpupdate /force ,not result.Thats what give me the error.However I checked the event log and these are the errors:
    A Kerberos Error Message was received:
    on logon session
    Client Time:
    Server Time: 0:15:12.0000 5/13/2017 Z
    Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN
    Extended Error:
    Client Realm:
    Client Name:
    Server Realm: GIMO.LOCAL
    Server Name: DNS/auth1.dns.cogentco.com
    Target Name: [email protected]
    Error Text:
    File: 9
    Line: f0a
    Error Data is in record data.

    A Kerberos Error Message was received:
    on logon session GIMO.LOCAL\pc000129$
    Client Time:
    Server Time: 23:6:24.0000 5/12/2017 Z
    Error Code: 0x19 KDC_ERR_PREAUTH_REQUIRED
    Extended Error:
    Client Realm:
    Client Name:
    Server Realm: GIMO.LOCAL
    Server Name: krbtgt/GIMO.LOCAL
    Target Name: [email protected]
    Error Text:
    File: e
    Line: a05
    Error Data is in record data.

    How do I fix this?
     
  5. peterh40

    peterh40 Peter

    Joined:
    Apr 15, 2007
    Messages:
    1,338
    Check the time on your PC is <=5 mins of the time on the main PDC server.
    Make sure that your PC can talk to the PDC over the network.
    Check to see if you can browse to \\pdc-server\sysvol share.
     
  6. parrot1553

    parrot1553 Thread Starter

    Joined:
    May 11, 2017
    Messages:
    8
    Time is same.I can browse the sysvol share.
     
  7. peterh40

    peterh40 Peter

    Joined:
    Apr 15, 2007
    Messages:
    1,338
    Are you using Kerberos Authentication in your domain?
    Check for duplicate SPN entries - use SETSPN.exe /X to locate them.
     
  8. parrot1553

    parrot1553 Thread Starter

    Joined:
    May 11, 2017
    Messages:
    8
    I don't know.Isnt kerberos used by default on a domain?
    I have disabled kerberos authentication via properties->account tab in AD for my user.
    I also ran SetSPN command and it found 0 duplicated.
    Also ran wmi repository verify check,came out with"consistent".

    I am at a loss here at whats going on.I don't know what previous IT guys have done,but the system has been set up long ago.I can't afford to experiment as there are 300+ people on the domain.
     
  9. peterh40

    peterh40 Peter

    Joined:
    Apr 15, 2007
    Messages:
    1,338
    If you have access to the AD tools, load up Active Directory Users and Computers console from Administrative Tools on your PC and use Find to search for your Computer account and User account to see where they are in the domain. If the computer accounts is in the default Computers container, then you need to moving to the correct place for your department.

    How to use AD Users and Computers
     
  10. parrot1553

    parrot1553 Thread Starter

    Joined:
    May 11, 2017
    Messages:
    8
    Hi,The GPOs are linked in the correct OUs (GPO with user configuration in the OU with users,GPO with Computer Configuration in the OU with computers).

    So after further investigation.It seems like when I remove the GPO that gives me the error when I run gpupdate /force ,the command completes successfully.So it seems the GPO itself is corrupt,however,when I create a new GPO it automatically becomes corrupt.What is most likely causing this issue? I ran a quick chkdsk and it showed no errors,I'd have to turn server off for a more thorough test but I'd prefer to avoid that.
     
  11. peterh40

    peterh40 Peter

    Joined:
    Apr 15, 2007
    Messages:
    1,338
  12. parrot1553

    parrot1553 Thread Starter

    Joined:
    May 11, 2017
    Messages:
    8
    clearing out the gpo cache on 200 computers?
     
  13. lochlomonder

    lochlomonder

    Joined:
    Jul 24, 2015
    Messages:
    1,395
    Not necessarily 200. Start with 1 as your baseline and then see if this sorts the issue.

    It's not necessarily corrupt per se, but perhaps what you're trying to achieve with the GPO is causing issues. Have you used RSoP before on any of the client workstations to see what results this will yield?
     
  14. parrot1553

    parrot1553 Thread Starter

    Joined:
    May 11, 2017
    Messages:
    8
  15. lochlomonder

    lochlomonder

    Joined:
    Jul 24, 2015
    Messages:
    1,395
    Looking at the Registry error, I'm wondering if there's an issue with writing to the Registry (possibly a permissions issue). From the report: "Additional information may have been logged. Review the Policy Events tab in the console or the application event log for events between 24/05/2017 17:09:21 and 24/05/2017 17:09:21." Have a look in Event Viewer, Windows Logs, Application and see what shows up on one of the affected PCs showing the time frame I noted in bold.

    In addition to gleaning more information, run this command from the CLI on one of the affected workstations: gpresult /z > %userprofile%\desktop\gpresult.txt. This will create a text file on the logged-on user's desktop which provides information on the Computer and User settings applied by GPOs, and this may shed some more light on the issue.

    If you could remove personal information from it such as the domain name and post it back here, I'll have a look over that as well.
     
  16. parrot1553

    parrot1553 Thread Starter

    Joined:
    May 11, 2017
    Messages:
    8
    Hi,

    I think its pretty obvious but I changed the domain name to "hidden" .I couldn't possible change it everywhere its too much.

    anyhow,heres the gpresult export and also the event log.All these are from my computer,which is just one of the many in the domain that don't get any new GPOs applied.Currently its not working for any computers ,so I am 100% sure its the server.Active directory however is working fine and new computers can join the network and log in with domain accounts.

    Hope it helps!
     

    Attached Files:

  17. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - GPOs Applying
  1. Edmondo
    Replies:
    0
    Views:
    384

Short URL to this thread: https://techguy.org/1189779