The Processing of Group Policy Failed

There are a number of reasons why The processing of Group Policy failed error could happen. The most common event IDs that appear in Event Viewer > Application with these errors: 1030, 1053, 1054, and 1058. In this article, we will show you how to solve GPO processing errors.

The Processing of Group Policy Failed, Windows Attempted to Read the file

When you try to update Group Policy settings on a computer using the gpupdate /force command, you could receive the following error:

User policy could not be updated successfully. The following errors were encountered.

The processing of Group Policy failed. Windows attempted to read the file \\domain.local\SysVol\domain.local\Policies\{Policy_GUID}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved.

This issue may be transient and could be caused by one or more of the following:

  • Name Resolution/Network Connectivity to the current domain controller;
  • File Replication Service Latency (a file created on another domain controller has not been replicated to the current domain controller);
  • The Distributed File System (DFS) client has been disabled.

the processing of group policy failed. windows attempted to read the file

You may encounter such an error not only when you manually run the gpupdate /force command, but also after running DCDIAG tools, or in the Event Viewer when a user logs in. In some cases, when this error appears, you won’t be able to open shared network folders or DFS domain resources with the error “The Network Path Was Not Found”.

The error can occur both on desktops (Windows 10, 8.1, 7) and on Windows Server 2016/2012 R2/2008 R2.

First, make sure the \\domain.local\SysVol\domain.local\Policies\{Policy_GUID}\gpt.ini file exists on your domain controller. If the gpt.ini file is missing, then most likely the GPO is corrupted. You can determine the name of the GPO by its GUID using the following PowerShell command from the GroupPolicy module:

Get-GPO -id {Policy_GUID}|select DisplayName

Recreate the policy or copy it from another DC.

Hint. If the policy files are missing on all domain controllers, you can restore GPO files from a backup. If there are no Default Domain Policy files or Default Domain Controller policy files and no backup is available, you can restore both default policy settings by using the dcgpofix tool.

You can use the following dcgpofix commands to reset your Default Domain Policy and/or Default Domain Controllers Policy GPO to their default settings:

  • Reset the Default Domain GPO:
    dcgpofix /target:Domain
  • Reset the Default Domain Controllers GPO:
    dcgpofix /target:DC
  • Reset both the Default Domain and DC GPOs:
    dcgpofix /target:both

The second thing you will want to do is take a look at the Event Viewer logs. Check if there are any event logs related to the Journal Wrapping error which was causing File Replication Services to fail on our domain controllers.

The error usually looks like this:

The File Replication Service has detected that the replica set “DOMAIN SYSTEM VOLUME(SYSVOL SHARE)” is in JRNL_WRAP_ERROR

the processing of group policy failed

This error may indicate corruption of the SYSVOL folder in domains where replication is based on legacy FRS instead of more modern DFS replication. Compare the contents of the folder on the problem domain controller \\DC_name\sysvol\domain.local\Policies with any other DC. You can force the sysvol folder to synchronize from another DC.

Microsoft’s solution says you can force the Sysvol folder to synchronize in the problem DC from another DC:

  1. Open the Registry Editor (regedit.exe);
  2. Go to the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters;
  3. Change (create) a registry key named “Enable Journal Wrap Automatic Restore” and change its value to 1;
  4. Restart the NTFRS service:
    net stop ntfrs && net start ntfrs
  5. Verify that the following events in the File Replication Service log consistently appear:
    Event ID 13553 — The File Replication Service successfully added this computer to the following replica set: “DOMAIN SYSTEM VOLUME (SYSVOL SHARE)”;
    Event ID 13554 — The File Replication Service successfully added the connections shown below to the replica set: “DOMAIN SYSTEM VOLUME (SYSVOL SHARE)”;
  6. Wait a while. After successful replication the following event should appear:
    Event ID 13516 — The File Replication Service is no longer preventing the computer DC from becoming a domain controller. The system volume has been successfully initialized and the Netlogon service has been notified that the system volume is now ready to be shared as SYSVOL;
  7. Now you need to change the value Enable Journal Wrap Automatic Restore to 0;
  8. Make sure that Netlogon and Sysvol shared folders are accessible on the domain controller.

If you didn’t find the “Journal Wrapping” error in the client’s Event Viewer, open the services management console (services.msc) and check if the “TCP/IP Netbios Helper” service is running and its startup type is set to automatic.

the processing of group policy failed windows attempted to read the file

The Processing of Group Policy failed error might be related to issues with DNS or with the domain controller itself. Use the nslookup and ping utility to check if your DNS server (usually this is a domain controller) is available and responding. You can find out the name of your domain controller with the command:

systeminfo | find "Logon Server"

In this example, your DC name is xxx-dc01.

processing of group policy failed

If the previous command returned N/A, then your DC is not accessible.

the processing of group policy failed gpt.ini

You need to check the availability of the domain controller with the commands:

Ping xxx-dc01

Nslookup xxx-dc01

Make sure both commands return a successful response. Try to reset the DNS resolver cache on affected computers:

ipconfig /flushdns

Check availability of DC via RPC protocol using the command:

nltest /dsgetdc:yourdoman.com

windows attempted to read the file gpt.ini

Tip. Check the health of domain controllers and replication in Active Directory.

Make sure your domain controller is accessible via RPC protocol:

nltest /dsgetdc:your_domain_name

Hint. You can use the following posts to resolve RPC errors on Windows:

Try to open the list of network folders on DC by clicking WIN+R > Run > Type \\xxx-dc01 > Enter.

the processing of group policy failed. windows attempted to read the file gpt.ini

You should see a list of folders on your domain controller. Among them, you should see NetLogon and Sysvol folders.

the processing of group policy failed because of lack of network connectivity to a domain controller

Check the time synchronization between the domain controller and the client (how to configure NTP time synchronization in Active Directory?). Try to perform manual time synchronization.

If DC is available:

  1. Check if the computer account in Active Directory is active;
  2. Delete the file C:\Windows\System32\GroupPolicy\Machine\Registry.pol;
  3. Restart the computer.

After that try to run gpupdate /force and it should result in success!

the processing of group policy failed windows attempted to read

User Policy update has completed successfully.

Computer Policy update has completed successfully.

Group Policy Processing Failed: Lack of Network Connectivity to a DC

Another common mistake when applying a GPO:

Computer policy could not be update successfully. The following error were encountered.

The processing of Group Policy failed because the lack of network connectivity to a domain controller. This may be a transient condition.

the processing of group policy failed.

First, check if there is a connection to the domain controller as described in the previous section.

If the error “The processing of Group Policy failed because of lack of network connectivity” appears only on Windows startup, then most likely it means that the computer doesn’t have time to initialize the network connection before applying Active Directory Group Policies. There are several ways to solve the problem:

  • The easiest way is to enable PortFast mode on the network switch. In this case, the switch port to which the user’s computer is connected immediately goes into the forwarding state, bypassing the learning stage;
  • If the first method is not possible, you can apply a Group Policy setting called “Always wait for the network at computer startup and logon setting” to domain computers (this policy forces the computer to wait for full network connectivity before logon and apply GPO).
  1. Open the Group Policy Management Console (gpmc.msc), edit the policy linked to the OU with computers, or create a new one;
  2. Go to the GPO section: Computer Configuration > Administrative Templates > System > Logon;
  3. Enable the policy Always wait for the network at computer startup and logon setting.

user policy could not be updated successfully the processing of group policy failed

Some network card drivers ignore this policy. In this case, it is recommended to set the following parameter in the registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
“GpNetworkStartTimeoutPolicyValue”=dword:0000003c

This parameter allows you to set a constant startup delay in seconds (in our case, 60 seconds) before applying Group Policies (total Windows boot time will increase). You can deploy this registry parameter to computers in the domain through GPP.

If the error “The processing of Group Policy failed …” with code 1129 persists, increase the value of the GpNetworkStartTimeoutPolicyValue parameter until the problem goes away.

Event ID 1055: The processing of Group Policy failed. Windows could not resolve the computer name

Another common error when applying Group Policy is the Event ID 1055:

The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one or more of the following:

a) Name Resolution failure on the current domain controller.

b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).

The error description contains the following entry:

ErrorCode 1331

Logon failure: account currently disabled.

In this case, check if your computer account is enabled in Active Directory:

  1. Get the name of your computer by running the command:
    hostname
  2. Open the Active Directory Users and Computers console (dsa.msc) console, find your computer account. Make sure it’s enabled. If not, right-click on it and select Enable account.

A secure channel issue may prevent a computer from authenticating with a domain controller and usually shows up as an “Access Denied” error when a computer tries to access domain resources, including Group Policy updates. You can check and reset the secure channel between your computer and Active Directory DC using the Test-ComputerSecureChannel cmdlet:

Test-ComputerSecureChannel -Verbose

Reset the secure channel with the domain controller using the command:

Reset-ComputerMachinePassword -Server dc2 -Credential corp\domain_admin_account

If you receive an Event ID1058 error with a GroupPolicy source (Microsoft-Windows-GroupPolicy), try simply restarting the domain controller (contained in the $env:LOGONSERVER environment variable).

processing of group policy failed windows attempted to read the file

I enjoy technology and developing websites. Since 2012 I'm running a few of my own websites, and share useful content on gadgets, PC administration and website promotion.
Cyril Kardashevsky

3 comments

  1. We had this issue and discovered that some legacy Win2003 domain controllers only talk SMBv1 . When we rolled out some Win10 client machines, they have SMBv1 disabled by default, so they could not read the \\domain\SYSVOL folder if they hit one of the legacy DCs. When we enabled SMBv1 on the client, they could read the SYSVOL folder and were able to process GPOs. Obviously, SMBv1 is not considered secure so view this as a temporary solution until you can get off Win2003 DCs and then go back and disable SMBv1 on those client machines.

  2. Many thanks for that, it saved me a lot of time and headaches. Odd that Windows doesn’t just carry on and process the rest of the GPOs – almost like an “on error continue”. Instead, the one missing file caused other policies to fail.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.