No announcement yet.

Windows cannot query GP objects

  • Filter
  • Time
  • Show
Clear All
new posts

  • Windows cannot query GP objects

    Hello people,

    As of today I have just started receiving the following events on both the a single DC and it's clients (terminal server and XP). Group policy is failing to update and I am unable to access \\\sysvol from the clients. I have checked the permissions and they appear to be OK. The only thing that has really changed is applied some MS updates lastnight but I don't think they are to blame because I was experiencing a few hints pointing towards this a few days ago. I setup a DFS between the DC and another file server about a week ago.

    The only issue with the server before this was replication failures due to a failed second DC that was removed months ago due to a fire. I am yet to do a metadata clean up as there has been no issues. Do you think a metadata clean would fix the GP update issues? If so why has it been OK up til now?

    Any help would be greatly appriciated.

    2003 R2 std - DC, Exch, SQL, DFS
    2003 R2 std - DFS file server only joined to domain but not DC,
    2003 R2 std - Terminal Server
    XP Clients

    Eventid 1058
    Windows cannot access the file gpt.ini for GPO CN={B8180A47-3161-42BA-8170-F436FDFC5DB6},CN=Policies,CN=System,DC=domain,DC=c om,DC=au. The file must be present at the location <\\\SysVol\\Policies\{B8 180A47-3161-42BA-8170-F436FDFC5DB6}\gpt.ini>. (Logon Failure: The target account name is incorrect. ). Group Policy processing aborted.

    Eventid 1030
    Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this.

    I also get this error. Related?


    The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/ The target name used was cifs/ This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm (DOMAIN.COM.AU), and the client realm. Please contact your system administrator.
    Last edited by Rednet; 19th December 2008, 08:10.

  • #2
    Re: Windows cannot query GP objects

    Metadate cleanup

    and removing failed DC from Sites and services and DNS resolves this issue


    • #3
      Re: Windows cannot query GP objects


      I would have thought Event ID 4 is unrelated to the other two events.

      Have a look at this for the GP template error:

      Caesar's cipher - 3




      • #4
        Re: Windows cannot query GP objects

        I've seen this one quite a lot recently. The resolution I've had most success with is running dfsutil /purgemupcache which usually then allows you to browse to the sysvol share. The kb article L4ndy linked to includes that.

        I'd agree that the kerberos error is unrelated to the userenv ones.
        BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
        Cruachan's Blog


        • #5
          Re: Windows cannot query GP objects

          We had this at our sister company - turns out the previous network admin was a bit of a muppet. Rather than creating new GPOs for extra settings (as Microsoft tell you to do) he put everything into the default policies. Check what state yours are in. Have a read of to see how to reset them to the defaults.
          Gareth Howells

          BSc (Hons), MBCS, MCP, MCDST, ICCE

          Any advice is given in good faith and without warranty.

          Please give reputation points if somebody has helped you.

          "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

          "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.


          • #6
            Re: Windows cannot query GP objects

            I think I resolved both issues in one hit here by cleaning the metadata.

            I'm not exactly sure why the the remaining metadata of the old DC was causing the GP update failures after such a long time but that issue has gone. Probably removing the DC from Sites and services resolved that.

            I the Eventid 4 (kerberos) issue was resolved by removing obsolete items from DNS.

            I'll let you know. Eventvwr was throwing loads of errors before and now it OK so we'll see.
            Last edited by Rednet; 19th December 2008, 13:23.