Suddenly not all GPOs get applied

group-policy
gpo
ucs44

#1

Hi,
I have two problems with group policies. Last week it worked well, today I got aware of the issues. Yesterday I created a few new policies, I suspect, while doing that, something broke.

  1. I have two Policies, which are being skipped, because the gpagent assumes, that these policies have version 0 and are therefore empty.
  2. My Windows-Clients don’t apply all offered GPOs, only the ones linked directly to the domain. Policies linked to OUs under the domain don’t get applied. Only Computer-Policies seem to be affected. User-Policies do get applied.
  • Clients can log into the domain, they’re using both Domain Controllers as their DNS server, and resolving their domain names to the correct IP is possible.
  • I can access the sysvol\policies…gpt.ini files while logged in to these clients

What I have tried so far:

  • I checked my policies using this checklist. But they seem to be ok.

  • Second checklist I used, was this one.

  • Domain Controller Master and Backup are syncing their sysvol-Files correctly

  • There are no Revision mismatches between LDAP and GPT.ini

  • samba-tool ntacl sysvolcheck did show Provisioning Errors, but samba-tool ntacl sysvolreset solved that.

  • The gpagent-logfile on my Windows clients shows, that Windows can see all OUs and Policies linked to it

Edit:

  • I found an error in the gpagent-logfile, which I overlooked at first.
GPSVC(44c.4d8) 16:32:14:576 GetDCNameFromGPTPath: NetDfsGetClientInfo() failed with error=0xa66 for GPT Path=\\domain.name\SysVol\domain.name\Policies\{2F1073E9-CE45-4F8C-A307-5F09F29E4312}\gpt.ini
GPSVC(44c.4d8) 16:32:14:576 ProcessGPO:  Couldn't find the group policy template file <\\domain.name\SysVol\domain.name\Policies\{2F1073E9-CE45-4F8C-A307-5F09F29E4312}\gpt.ini>, error = 0x52e. DC: <null>
  • Apparently, this is a permission error. Therefore I did a full Sysvol-Sync by deleting the sysvol-cache on the Backup-server, but it didn’t help. Authenticated Users are allowed to read these files, but it seems is isn’t enough.

Edit2:
The error in my first edit was due to a broken GPO. The /var/lib/samba/domain/Policies/{2F1073E9-CE45-4F8C-A307-5F09F29E4312} folder didn’t get correct permissions.

After creating a new GPO, permissions are set correctly again.

Now, all lower GPOs still are not being applied and new GPOs are still being detected as empty by the gpagent.


#2

Strange. I deleted all Folders in C:\ProgramData\Microsoft\Group Policy\History on one client, it worked afterwards. As far as I can tell, all other clients apply GPOs correctly since today, without any help from me.