The Processing of Group Policy Failed

There are a number of reasons why The processing of Group Policy failed error could happen. In this article, we will show you how to solve GPO processing error.

The Processing of Group Policy Failed, Windows Attempted to Read the file

When you try to update Group Policy settings on a computer using the gpupdate /force command, you could receive the following error:

User policy could not be updated successfully. The following errors were encountered.

The processing of Group Policy failed. Windows attempted to read the file \\domain.local\SysVol\domain.local\Policies\{Policy_GUID}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved.

This issue may be transient and could be caused by one or more of the following:

  • Name Resolution/Network Connectivity to the current domain controller;
  • File Replication Service Latency (a file created on another domain controller has not been replicated to the current domain controller);
  • The Distributed File System (DFS) client has been disabled.

the processing of group policy failed. windows attempted to read the file

You may encounter such an error not only when you manually run the gpupdate /force command, but also after running DCDIAG tools, or in the Event Viewer when a user logs in. In some cases, when this error appears, you won’t be able to open shared network folders or DFS domain resources with the error “The Network Path Was Not Found”.

The error can occur both on desktops (Windows 10, 8.1, 7) and on Windows Server 2016/2012 R2/2008 R2.

First, make sure the \\domain.local\SysVol\domain.local\Policies\{Policy_GUID}\gpt.ini file exists on your domain controller. If the gpt.ini file is missing, it is most likely that the GPO is corrupted. You can determine the name of the GPO by its GUID using the following PowerShell command from the GroupPolicy module:

Get-GPO -id {Policy_GUID}|select DisplayName

Recreate the policy or copy it from another DC.

Hint. If the policy files are missing on all domain controllers, you can restore GPO files from a backup. If there are no Default Domain Policy files or Default Domain Controller policy files and no backup is available, you can restore both default policy settings by using the dcgpofix tool.

READ ALSO  Fix Corrupt Windows 7/8/10 Temporary Profile

The second thing you will want to do is take a look at the Event Viewer logs. Check if there are any event logs related to the Journal Wrapping error which was causing File Replication Services to fail on our domain controllers.

The error usually looks like this: The File Replication Service has detected that the replica set “DOMAIN SYSTEM VOLUME(SYSVOL SHARE)” is in JRNL_WRAP_ERROR

the processing of group policy failed

This error may indicate corruption of the SYSVOL folder in domains where replication is based on legacy FRS instead of more modern DFS replication. Compare the contents of the folder on the problem domain controller \\DC_name\sysvol\domain.local\Policies with any other DC. You can force the sysvol folder to synchronize from another DC.

Microsoft’s solution says that you can force the Sysvol folder to synchronize in the problem DC from another DC:

  1. Open the Registry Editor (regedit.exe);
  2. Go to the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters;
  3. Change (create) a registry key named “Enable Journal Wrap Automatic Restore” and change its value to 1;
  4. Restart the NTFRS service: net stop ntfrs && net start ntfrs
  5. Verify that the following events in the File Replication Service log consistently appear.:
    Event ID 13553 – The File Replication Service successfully added this computer to the following replica set: “DOMAIN SYSTEM VOLUME (SYSVOL SHARE)”;
    Event ID 13554 – The File Replication Service successfully added the connections shown below to the replica set: “DOMAIN SYSTEM VOLUME (SYSVOL SHARE)”;
  6. Wait a while. After successful replication the following event should appear:
    Event ID 13516 – The File Replication Service is no longer preventing the computer DC from becoming a domain controller. The system volume has been successfully initialized and the Netlogon service has been notified that the system volume is now ready to be shared as SYSVOL;
  7. Now you need to change the value Enable Journal Wrap Automatic Restore to 0;
  8. Make sure that Netlogon and Sysvol shared folders are accessible on the domain controller.
READ ALSO  How Does Microsoft Outlook Convert Time Zones for Meetings?

If you didn’t find the “Journal Wrapping” error in the client’s Event Viewer, open the services management console (services.msc) and check that the “TCP/IP Netbios Helper” service is running and its startup type is set to automatic.

the processing of group policy failed windows attempted to read the file

The “processing of Group Policy failed“error might be related to issues with DNS or with the domain controller itself. Use the nslookup and ping utility to check that your DNS server (usually this is a domain controller) is available and responding. You can find out the name of your domain controller with the command:

systeminfo | find "Logon Server"

In this example, your DC name is xxx-dc01.

processing of group policy failed

If the previous command returned N/A, then your DC is not accessible.

the processing of group policy failed. windows attempted to read the file gpt.ini

You need to check the availability of the domain controller with the commands:

Ping xxx-dc01

Nslookup xxx-dc01

Make sure both commands return a successful response.

Check availability of DC via RPC protocol using the command:

nltest /dsgetdc:yourdoman.com

the processing of group policy failed gpt.ini

Try to open the list of network folders on DC by clicking WIN+R > Run > Type \\xxx-dc01 -> Enter.

windows attempted to read the file gpt.ini

You should see a list of folders on your domain controller. Among them must be the folders NetLogon and Sysvol.

the processing of group policy failed.

If DC is available:

  1. Check that the computer account in Active Directory is active;
  2. Delete the file C:\Windows\System32\GroupPolicy\Machine\Registry.pol;
  3. Restart the computer.

After that try to running gpupdate /force and it should result in success!

gpt.ini from a domain controller and was not successful

User Policy update has completed successfully.

Computer Policy update has completed successfully.

Group Policy Processing Failed: Lack of Network Connectivity to a DC

Another common mistake when applying a GPO:

Computer policy could not be update successfully. The following error were encountered.

The processing of Group Policy failed because the lack of network connectivity to a domain controller. This may be a transient condition.

the processing of group policy failed windows attempted to read the file gpt.ini

First, check if there is a connection to the domain controller as described in the previous section.

If the error “The processing of Group Policy failed because the lack of network connectivity” appears only on Windows startup, it most likely means that the computer doesn’t have time to initialize the network connection before applying Active Directory Group Policies. There are several ways to solve the problem:

  • The easiest way is to enable PortFast mode on the network switch. In this case, the switch port to which the user’s computer is connected immediately goes into the forwarding state, bypassing the learning stage;
  • If the first method is not possible, you can apply a Group Policy setting called “Always wait for the network at computer startup and logon setting” to domain computers (this policy force the computer to wait for full network connectivity before logon and apply GPO).
  1. Open the Group Policy Management Console (gpmc.msc), edit the policy linked to the OU with computers or create a new one;
  2. Go to the GPO section: Computer Configuration > Administrative Templates > System > Logon
  3. Enable the policy Always wait for the network at computer startup and logon setting
READ ALSO  Fix Windows 8.1/10 Search Filter Host and Indexer High CPU Load Problem

the processing of group policy failed windows attempted to read the file gpt ini windows 10

Some network card drivers ignore this policy. In this case, it is recommended to set the following parameter in the registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
“GpNetworkStartTimeoutPolicyValue”=dword:0000003c

This parameter allows you to set a constant startup delay in seconds (in our case, 60 seconds) before applying Group Policies (total Windows boot time will increase). You can deploy this registry parameter to computers in the domain through GPP.

If the error “The processing of Group Policy failed …” with code 1129 persists, increase the value of the GpNetworkStartTimeoutPolicyValue parameter until the problem goes away.

Cyril Kardashevsky

2 comments

  1. We had this issue and discovered that some legacy Win2003 domain controllers only talk SMBv1 . When we rolled out some Win10 client machines, they have SMBv1 disabled by default, so they could not read the \\domain\SYSVOL folder if they hit one of the legacy DCs. When we enabled SMBv1 on the client, they could read the SYSVOL folder and were able to process GPOs. Obviously, SMBv1 is not considered secure so view this as a temporary solution until you can get off Win2003 DCs and then go back and disable SMBv1 on those client machines.

  2. Many thanks for that, it saved me a lot of time and headaches. Odd that Windows doesn’t just carry on and process the rest of the GPOs – almost like an “on error continue”. Instead, the one missing file caused other policies to fail.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.