The Processing of Group Policy Failed

888

When you try to update Group Policy settings on a computer using the gpupdate /force command, you could receive the following error:

User policy could not be updated successfully. The following errors were encountered.

The processing of Group Policy failed. Windows attempted to read the file \\domain.local\SysVol\domain.local\Policies\{Policy_GUID}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved.

This issue may be transient and could be caused by one or more of the following:

• Name Resolution/Network Connectivity issues with the current domain controller;
• Distributed File System (DFS)/File Replication Service (FRS) latency (a file created on another domain controller has not been replicated to the current domain controller);
• The DFS client has been disabled.

You may encounter such an error not only when you manually run the gpupdate /force command, but also after running DCDIAG command, or in the Event Viewer when a user logs in. In some cases, when this error appears, you won’t be able to open shared network folders or DFS domain resources with the error “The Network Path Was Not Found”.

The error can occur both on desktops (Windows 11,10, 8.1, 7) and on Windows Server 2022/2019/2016/2012 R2/2008 R2.

First, make sure the \\domain.local\SysVol\domain.local\Policies\{Policy_GUID}\gpt.ini file exists on your domain controller. If the gpt.ini file is missing, then most likely the GPO is corrupted. You can determine the name of the GPO by its GUID using the following PowerShell command from the GroupPolicy module:

Get-GPO -id {Policy_GUID}|select DisplayName

Recreate the policy or copy it from another DC.

Hint. If the policy files are missing on all domain controllers, you can restore GPO from backup. If there are no Default Domain Policy files or Default Domain Controller policy files and no backup is available, you can restore both default policy settings by using the dcgpofix tool.

You can use the following dcgpofix commands to reset your Default Domain Policy and/or Default Domain Controllers Policy GPO to their default settings:

• Reset the Default Domain GPO:

  dcgpofix /target:Domain

• Reset the Default Domain Controllers GPO:

  dcgpofix /target:DC

• Reset both the Default Domain and DC GPOs:

  dcgpofix /target:both

The second thing you will want to do is take a look at the Event Viewer logs. Check if there are any event logs related to the Journal Wrapping error which was causing File Replication Services to fail on our domain controllers.

The error usually looks like this:

The File Replication Service has detected that the replica set “DOMAIN SYSTEM VOLUME(SYSVOL SHARE)” is in JRNL_WRAP_ERROR

This error may indicate corruption of the SYSVOL folder in domains where replication is based on legacy FRS instead of more modern DFS replication service. Compare the contents of the folder on the problem domain controller \\DC_name\sysvol\domain.local\Policies with any other DC. You can force the sysvol folder to synchronize from another DC.

Microsoft’s solution says you can force the Sysvol folder to synchronize in the problem DC from another DC:

1. Open the Registry Editor (regedit.exe);
2. Go to the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters;
3. Change (create) a registry key named “Enable Journal Wrap Automatic Restore” and change its value to 1;
4. Restart the NTFRS service:

   net stop ntfrs && net start ntfrs

5. Verify that the following events in the File Replication Service log consistently appear:
   Event ID 13553 — The File Replication Service successfully added this computer to the following replica set: “DOMAIN SYSTEM VOLUME (SYSVOL SHARE)”;
   Event ID 13554 — The File Replication Service successfully added the connections shown below to the replica set: “DOMAIN SYSTEM VOLUME (SYSVOL SHARE)”;
6. Wait a while. After successful replication the following event should appear:
   Event ID 13516 — The File Replication Service is no longer preventing the computer DC from becoming a domain controller. The system volume has been successfully initialized and the Netlogon service has been notified that the system volume is now ready to be shared as SYSVOL;
7. Now you need to change the value Enable Journal Wrap Automatic Restore to 0;
8. Make sure that Netlogon and Sysvol shared folders are accessible on the domain controller.

If you didn’t find the “Journal Wrapping” error in the client’s Event Viewer, open the services management console (services.msc) and check if the “TCP/IP Netbios Helper” service is running and its startup type is set to automatic.

The Processing of Group Policy failed error might be related to issues with DNS or with the domain controller itself. Use the nslookup, ping (or the Test-Connection cmdlet) to check if your DNS server (usually this is a domain controller) is available and responding. You can find out the name of your domain controller with the command:

systeminfo | find "Logon Server"

In this example, your DC name is xxx-dc01.

If the previous command returned N/A, then your DC is not accessible.

You need to check the availability of the domain controller with the commands:

Ping xxx-dc01

Nslookup xxx-dc01

Make sure both commands return a successful response. Try to reset the DNS resolver cache on affected computers:

ipconfig /flushdns

Check availability of DC via RPC protocol using the command:

nltest /dsgetdc:yourdoman.com

Tip. Check Active Directory health and check AD replication.

Make sure your domain controller is accessible via RPC protocol:

nltest /dsgetdc:your_domain_name

Hint. You can use the following post to resolve common RPC errors on Windows: The RPC server is unavailable. (Exception from HRESULT: 0x800706BA).

Try to open the list of network folders on DC by clicking WIN+R > Run > Type \\xxx-dc01 > Enter.

You should see a list of folders on your domain controller. Among them, you should see NetLogon and Sysvol folders.

If DC is available:

1. Check if the computer account in Active Directory is active;
2. Delete the file C:\Windows\System32\GroupPolicy\Machine\Registry.pol;
3. Restart the computer.

After that try to run gpupdate /force and it should result in success!

User Policy update has completed successfully.
Computer Policy update has completed successfully.

Group Policy Processing Failed: Lack of Network Connectivity to a DC

Another common mistake when applying a GPO:

Computer policy could not be update successfully. The following error were encountered.

The processing of Group Policy failed because the lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has successfully processed. If you do not see a success message for several hours, then contact your administrator.

First, check if there is a connection to the domain controller as described in the previous section.

If the error “The processing of Group Policy failed because of lack of network connectivity to a domain controller” appears only on Windows startup, then most likely it means that the computer doesn’t have time to initialize the network connection before applying Active Directory Group Policies. There are several ways to solve the problem:

• The easiest way is to enable PortFast mode on the network switch. In this case, the switch port to which the user’s computer is connected immediately goes into the forwarding state, bypassing the learning stage;
• If the first method is not possible, you can apply a Group Policy setting called “Always wait for the network at computer startup and logon setting” to domain computers (this policy forces the computer to wait for full network connectivity before logon and apply GPO).

1. Open the Group Policy Management Console (gpmc.msc), edit the policy linked to the Active Directory OU with computers, or create a new one;
2. Go to the GPO section: Computer Configuration > Administrative Templates > System > Logon;
3. Enable the policy Always wait for the network at computer startup and logon setting.

Some network card drivers ignore this policy. In this case, it is recommended to set the following parameter in the registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
“GpNetworkStartTimeoutPolicyValue”=dword:0000003c

This parameter allows you to set a constant startup delay in seconds (in our case, 60 seconds) before applying Group Policies (total Windows boot time will increase). You can deploy this registry parameter to computers in the domain through GPP.

If the error “The processing of Group Policy failed …” with code 1129 persists, increase the value of the GpNetworkStartTimeoutPolicyValue parameter until the problem goes away.

Also, the Event ID 1129 with “lack of network connectivity to a domain controller” warning may indicate that your client cannot connect to the Lightweight Directory Access Protocol (LDAP) service on the domain controller. Check if the TCP and UDP ports 389 are listening on the domain controller. Execute the following netstat command on DC, it should return LISTENING.

Make sure that the LDAP port is not blocked by the firewall between the client and the server (the command should return TcpTestSucceeded : True):

Test-NetConnection DC01 –port 389

Then run the built-in ldp.exe tool and check the LDAP connectivity to the domain controller. Select Connection, enter a DC name, and click Connect.

If the LDAP service is running on the DC and is accessible from the client, a message will appear in the ldp.exe console:

ld = ldap_open(“192.168.79.129”, 389);

Established connection to 192.168.79.129.

Retrieving base DSA information…

Getting 1 entries:

Dn: (RootDSE)

configurationNamingContext: CN=Configuration,DC=theitbros,DC=com;

Event ID 1055: The processing of Group Policy failed. Windows could not resolve the computer name

Another common error when applying Group Policy is the Event ID 1055:

The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one or more of the following:

1. Name Resolution failure on the current domain controller.

2. Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).

The error description contains the following entry:

ErrorCode 1331
Logon failure: account currently disabled.

In this case, check if your computer account is enabled in Active Directory:

1. Get the name of your computer by running the command:

   hostname

2. Open the Active Directory Users and Computers snap-in (dsa.msc), find your computer account. Make sure it’s enabled. If not, right-click on it and select Enable account.

A secure channel issue may prevent a computer from authenticating with a domain controller and usually shows up as an “Access Denied” error when a computer tries to access domain resources, including Group Policy updates. You can check and reset the secure channel between your computer and Active Directory DC using the Test-ComputerSecureChannel cmdlet:

Test-ComputerSecureChannel -Verbose

Reset the secure channel with the domain controller using the command:

Reset-ComputerMachinePassword -Server dc2 -Credential corp\domain_admin_account

If you receive an Event ID1058 error with a GroupPolicy source (Microsoft-Windows-GroupPolicy), try simply restarting the domain controller (contained in the $env:LOGONSERVER environment variable).

Here are a few rarer GPO processing errors on the client and their associated Event IDs:

• Event ID: 1002: The processing of Group Policy failed because of a system allocation failure. Please ensure the computer is not running low on resources (memory, available disk space). Group Policy processing will be attempted at the next refresh cycle.
  This error indicates that your computer does not have enough resources to process the request. Check if your computer has enough free memory and disk space.
  
• Event ID: 1006: The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed). Look in the Details tab for error code and description.
  Open the event description and look for the error code number, which may indicate the cause of the problem:
  Error code 5 (Access is denied) — user doesn’t have permission to access Active Directory;
  Error code 49 (Invalid credentials) — try changing the user password, or unlock AD account or computer account;
  Error code is 258 (Timeout) — check DNS health on DC.
  
• Event ID: 1030: The processing of Group Policy failed. Windows attempted to retrieve new Group Policy settings for this user or computer. Look in the Details tab for error code and description. Windows will automatically retry this operation at the next refresh cycle. Computers joined to the domain must have proper name resolution and network connectivity to a domain controller for discovery of new Group Policy objects and settings. An event will be logged when Group Policy is successful.
  Check if the TCP and UDP LDAP ports on the domain controller are available to the client (discussed above);
  
• Event ID: 1053: The processing of Group Policy failed. Windows could not resolve the user name.
  This could be caused by one or more of the following:
  1. Name Resolution failure on the current domain controller.
  2. Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).
  Check the error code on the Details tab:
  Error code 5 (Access is denied) and Error code 525 (The specified user doesn’t exist) — check if the user and/or computer has sufficient permissions to read the contents of the Organizational Unit in Active Directory;
  Error code 14 (Not enough storage) — check if your computer has enough free memory and disk space;
  Error code 1355 (The specified domain either doesn’t exist or couldn’t be contacted) — check the name resolution in Active Directory;
  Error code 1727 (The remote procedure call failed) — check the RPC connectivity to DC;
  
• Event ID: 1097: The processing of Group Policy failed. Windows could not determine the computer account to enforce Group Policy settings. This may be transient. Group Policy settings, including computer configuration, will not be enforced for this computer.
  Check if the time on your computer is synchronized with the domain controller (how to configure NTP time synchronization in Active Directory?). Try to sync time with domain controller manually.