Problem: GPO Replication Issues: Outdated Link Information in GPMC and empty gPLink Values

Knowledge Base Community
, , , ,
1

Problem:

GPO Replication Issues: Outdated Link Information in GPMC and empty gPLink Values

When accessing via the Group Policy Management Console (GPMC), the following message appears:
“The link information for site, domain, or organizational unit is no longer current.”

Some Group Policy Objects (GPOs) show version conflicts between Active Directory and SYSVOL (gpt.ini), which prevents changes from being applied correctly.

Replication of the Domain Controllers (samba-tool drs showrepl) does not reveal obvious errors, but inconsistencies persist in GPO linking (gPLink) and versioning.

Why does gPLink:: IA== appear on a computer object when it is displayed with univention-s4search?

Investigation:

In general, Group Policies in the Samba directory service can be linked with Organizational Units (OU) and the LDAP base.
In the UCS@school context, however, only links below the school OU are automatically synchronized into the OpenLDAP directory.

Links with the LDAP base are blocked, for example, by OpenLDAP access restrictions, so that an adjustment of Group Policies linked there by a school administrator does not also affect all other schools.

Such a change is recorded as a reject in the S4 Connector on the school server.
If it is explicitly desired that a change of Group Policy linking at the LDAP base and under OU=Domain Controllers is also synchronized into the OpenLDAP directory (and thus to all schools), the following command can be executed on the school server with the central administrator password:

eval "$(ucr shell)"

/usr/share/univention-s4-connector/msgpo.py \
  --write2ucs \
  --binddn "uid=Administrator,cn=users,$ldap_base" \
  --bindpwd <password>

Example:

root@school-rep01:/home/mm_adm# /usr/share/univention-s4-connector/msgpo.py --write2ucs --binddn "uid=Administrator,cn=users,$ldap_base" --bindpwd pwd_file
Set msGPOLink for UCS object (ou=school1,dc=univention,dc=intranet)
Set msGPOLink for UCS object (ou=school2,dc=univention,dc=intranet)
Set msGPOLink for UCS object (ou=school3,dc=univention,dc=intranet)
Set msGPOLink for UCS object (ou=school4,dc=univention,dc=intranet)
Set msGPOLink for UCS object (ou=school5,dc=univention,dc=intranet)
Set msGPOLink for UCS object (dc=univention,dc=intranet)
Set msGPOLink for UCS object (ou=school6,dc=univention,dc=intranet)
Set msGPOLink for UCS object (ou=domain controllers,dc=univention,dc=intranet)
Set msGPOLink for UCS object (ou=school7,dc=univention,dc=intranet)

The following UCR variable must be set:

ucr get connector/s4/mapping/gpo
true

The S4 Connector detects shortly afterward, during the next resync, that the reject has been resolved.

Documentation reference:
https://docs.software-univention.de/ucsschool-manual/latest/de/exam-mode/examples-gpos.html#generelle-hinweise-zu-gruppenrichtlinien-und-administrativen-vorlagen

Analysis of gPLink:: IA==

When querying the OU=school in the Samba database via univention-s4search, the OU has the attribute gPLink with the value IA==:

univention-s4search ou=school1
# record 1
dn: OU=school1,DC=univention,DC=intranet
objectClass: top
objectClass: organizationalUnit
ou: school1
instanceType: 4
whenCreated: 20250729185046.0Z
uSNCreated: 4624
name: school
objectGUID: d80a3a38-04d1-4893-8984-b76b0956d22a
objectCategory: CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=univention,DC=intranet
gPLink:: IA==

Why does gPLink:: IA== appear?

  • Base64 encoding
    The double colon :: after the attribute name means the value is Base64-encoded.

  • Decoding
    IA== is Base64 for a single whitespace character.
    This means: currently, no Group Policy Object is linked — the value is effectively empty.

  • When does this happen?

    • If no GPOs are linked to this OU, or
    • If an invalid or broken link was deleted, but the gPLink attribute was not fully updated.

This is also why the decoded output showed only a space before root:

root@ucs-pri01:~/univention-support# univention-ldapsearch -LLL ou=school5 msGPOLink | grep "msGPOLink::" | cut -d' ' -f2 | base64 --decode
 root@ucs-pri01:~/univention-support#

Solution:

To correctly populate the gPLink attribute, use the Group Policy Management Console (GPMC) on a Windows client to link one or more desired GPOs with the school OU:

  1. Open the GPMC.
  2. Select the OU school.
  3. Right-click → Link an existing Group Policy Object.
  4. Select the desired GPO and confirm.

If there were previously invalid or broken links, you can remove them there as well.
After making adjustments, the gPLink attribute will automatically be updated with the correct value.

See also: