Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

GPOs not Applying


  • Please log in to reply
18 replies to this topic

#1 parrot1553

parrot1553

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:41 AM

Posted 11 May 2017 - 12:27 AM

Hello,

I have a few GPOs linked into OUs,but none of them apply.If I run gpresult /r on one of the client computers I get this: 

 

The processing of Group Policy failed. Windows could not apply the registry-base
d policy settings for the Group Policy object LDAP://CN=User,cn={FDF06D2C-782F-4
498-8A4C-18342880CFC2},cn=policies,cn=system,DC=gimo,DC=local. Group Policy sett
ings will not be resolved until this event is resolved. View the event details f
or more information on the file name and path that caused the failure.
Computer policy could not be updated successfully. The following errors were enc
ountered:

The processing of Group Policy failed. Windows could not evaluate the Windows Ma
nagement Instrumentation (WMI) filter for the Group Policy object cn={EAF42392-3
29D-4219-81F7-A17F1F64E499},cn=policies,cn=system,DC=gimo,DC=local. This could b
e caused by RSOP being disabled or Windows Management Instrumentation (WMI) ser
vice being disabled, stopped, or other WMI errors. Make sure the WMI service is
started and the startup type is set to automatic. New Group Policy objects or se
ttings will not process until this event has been resolved.

2G0fhQz.png

 

CJXSUGI.png

How can I solve this? 

Thanks


Edited by parrot1553, 11 May 2017 - 12:34 AM.


BC AdBot (Login to Remove)

 


#2 JohnnyJammer

JohnnyJammer

  • Members
  • 1,117 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:08:41 PM

Posted 11 May 2017 - 04:42 AM

I have nevere used that GPO mate but its saying it require authentication so in order to send the remote WMIC or WMI command it would require a login token.

Remember that its un-encrypted when sending remote WMIC and WMI commands over a network.



#3 parrot1553

parrot1553
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:41 AM

Posted 12 May 2017 - 07:10 AM

How do I get that login token?

#4 sflatechguy

sflatechguy

  • BC Advisor
  • 2,200 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:41 AM

Posted 13 May 2017 - 05:07 PM

If you are going to require authentication, you need to configre it.

 

https://msdn.microsoft.com/en-us/library/aa384295(v=vs.85).aspx

https://technet.microsoft.com/en-us/library/ee692772.aspx#EEAA



#5 parrot1553

parrot1553
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:41 AM

Posted 17 May 2017 - 08:17 PM

Hello guys,

 

So after further investigation.It seems like when I remove the GPO that gives me the error when I run gpupdate /force ,the command completes successfully.So it seems the GPO itself is corrupt,however,when I create a new GPO it automatically becomes corrupt.What is most likely causing this issue? I ran a quick chkdsk and it showed no errors,I'd have to turn server off for a more thorough test but I'd prefer to avoid that.



#6 sflatechguy

sflatechguy

  • BC Advisor
  • 2,200 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:41 AM

Posted 18 May 2017 - 08:13 AM

I'm not convinced that the GPO was corrupt. I've seen that behavior when a group policy or user account isn't configured properly -- for example, the user is configured for folder redirection, but doesn't have NTFS permissions on that folder. You should go back and recheck the settings in both the GPO and on the computer and user accounts. It's possible the WMI service on the computer isn't enabled or configured properly.



#7 parrot1553

parrot1553
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:41 AM

Posted 18 May 2017 - 02:21 PM

I'm not convinced that the GPO was corrupt. I've seen that behavior when a group policy or user account isn't configured properly -- for example, the user is configured for folder redirection, but doesn't have NTFS permissions on that folder. You should go back and recheck the settings in both the GPO and on the computer and user accounts. It's possible the WMI service on the computer isn't enabled or configured properly.

As far as I know WMI is enabled by default in windows,and it indeed is enabled in the pc I use for test.Since the GPO doesnt apply to any of the computers in the network I dont think its a client issue..All users are using a standard domain account.I try to apply the simplest GPO for testing purposes.Like ask for password if screensaver is interrupted,and start screensaver after  900 seconds idle.



#8 JohnnyJammer

JohnnyJammer

  • Members
  • 1,117 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:08:41 PM

Posted 18 May 2017 - 04:58 PM

So are any GPO's applying and also are you targeting the machine or user and i guess you know where to place the GPO if using machine and user OU groups hey?

Cant put a user GPO in an OU object designed for machine policies.

 

Why are you disabling the WMI for? I use it all day for executing remote commands to install software etc from batch files.

WMI is used for many tools and also inbuilt features for windows.



#9 parrot1553

parrot1553
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:41 AM

Posted 20 May 2017 - 05:08 AM

Hi,

 

I havent disabled WMI...its enabled on both the server and clients.All other GPOs apart from the ones specified in the error are applying...yes I have linked GPOs with computer configuration to OU with computers and GPOs for users in an OU with users.

 

I still get 

The processing of Group Policy failed. Windows could not apply the registry-base

d policy settings for the Group Policy object LDAP://CN=User,cn={FDF06D2C-782F-4
498-8A4C-18342880CFC2},cn=policies,cn=system,DC=gimo,DC=local. Group Policy sett
ings will not be resolved until this event is resolved. View the event details f
or more information on the file name and path that caused the failure.
Computer policy could not be updated successfully. The following errors were enc
ountered:

 

If I disble GPO FDF06D2C-782F-4498-8A4C-18342880CFC2 it will complete successfully.If I create a new GPO it will fail again.I am 100% sure the GPO is correct are its the simplest one I use to test ,run screensaver after 900seconds idle and password lock on resume.

 

The Computer GPO that fails is EAF42392-329D-4219-81F7-A17F1F64E499 This is the default domain policy,which I have never touched...



#10 JohnnyJammer

JohnnyJammer

  • Members
  • 1,117 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:08:41 PM

Posted 21 May 2017 - 05:51 PM

No worries,  EAF42392-329D-4219-81F7-A17F1F64E499 is just a unique identifier mate to your domain only.

So you have you ran RSOP.msc on any of the end user machines as administrator? I would do that then right click the Computer Config, then properties and see which GPO has failed and see what error it gives on the error information tab or even event viewer.

Looking at your first pic, it seems that th firewall rule is creating the issue so i would start by making the protocol Any instead of 6 or just remove them 2 rules altogether because you wont need them firewall filters if you run the commands using WMIC from a dos prompt (But remember its sent in clear text!).



#11 parrot1553

parrot1553
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:41 AM

Posted 24 May 2017 - 06:11 PM

Hi ,

 

I have run RSOP and this is the result file.

 

https://www.dropbox.com/s/i47khdwcl0da59k/gpreport.html?dl=0



#12 parrot1553

parrot1553
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:41 AM

Posted 30 May 2017 - 03:32 PM

bump



#13 dna9

dna9

  • Members
  • 96 posts
  • OFFLINE
  •  
  • Local time:04:41 AM

Posted 30 May 2017 - 10:41 PM

Hi ,

 

I have run RSOP and this is the result file.

 

https://www.dropbox.com/s/i47khdwcl0da59k/gpreport.html?dl=0

dead link



#14 dna9

dna9

  • Members
  • 96 posts
  • OFFLINE
  •  
  • Local time:04:41 AM

Posted 30 May 2017 - 10:42 PM

Hello,

I have a few GPOs linked into OUs,but none of them apply.If I run gpresult /r on one of the client computers I get this: 

 

The processing of Group Policy failed. Windows could not apply the registry-base
d policy settings for the Group Policy object LDAP://CN=User,cn={FDF06D2C-782F-4
498-8A4C-18342880CFC2},cn=policies,cn=system,DC=gimo,DC=local. Group Policy sett
ings will not be resolved until this event is resolved. View the event details f
or more information on the file name and path that caused the failure.
Computer policy could not be updated successfully. The following errors were enc
ountered:

The processing of Group Policy failed. Windows could not evaluate the Windows Ma
nagement Instrumentation (WMI) filter for the Group Policy object cn={EAF42392-3
29D-4219-81F7-A17F1F64E499},cn=policies,cn=system,DC=gimo,DC=local. This could b
e caused by RSOP being disabled or Windows Management Instrumentation (WMI) ser
vice being disabled, stopped, or other WMI errors. Make sure the WMI service is
started and the startup type is set to automatic. New Group Policy objects or se
ttings will not process until this event has been resolved.

2G0fhQz.png

 

CJXSUGI.png

How can I solve this? 

Thanks

what got moved?  somebody moved something.



#15 parrot1553

parrot1553
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:41 AM

Posted 31 May 2017 - 05:42 PM

Works fine for me,try this link

 

https://ufile.io/1yclm






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users