Thursday, July 31, 2014

Machine domain group policy failed to apply

In this case, domain joined workstation with Windows 7 operating system was failing to register itself on new WSUS server. Settings for the new WSUS server were entered into domain GPO. I tried to refresh the settings with gpupdate /force. But, the command was failing to apply computer settings from domain GPO, with following error message:
Computer policy could not be updated successfully. The following errors were encountered: The processing of Group Policy failed. Windows could not apply the registry-based policy settings for the Group Policy object LocalGPO. Group Policy settings will not be resolved until this event is resolved. View the event details for more information on the file name and path that caused the failure.
The output from Gpresult /h gpresult.html was showing failed status for Registry in component status:

 

Error event was logged into System event log with ID 1096 and same description:

The processing of Group Policy failed. Windows could not apply the registry-based policy settings for the Group Policy object LocalGPO. Group Policy settings will not be resolved until this event is resolved. View the event details for more information on the file name and path that caused the failure.

So, all errors were pointing for local policy corruption.
Navigating to c:\windows\system32\GroupPolicy\Machine folder and renaming the registry.pol file into registry-pol.bakup (for example), and running the gpupdate /force again, has resulted the command to successfully complete and apply the computer and user policy settings. The workstation has received new settings for the WSUS server and successfully registered itself on this new WSUS server.

I was using the same method for resolution in my article The processing of Group Policy failed. Event ID 1096, and the reason for not applying the domain GPOs was again the local policy corruption.
 

14 comments:

  1. Beautiful. Worked perfect. Had forgotten about that .pol file. My gpresult registry was showing "successful" but the same fix applied. I noticed local gpo was failing when I looked at the Local Administrators group and saw local accounts showing up with the SID after them, whereas domain accounts were showing up fine (no SID after the names). This saved me hours of troubleshooting.

    ReplyDelete
  2. Phew! finally a solution that works. Thanks

    ReplyDelete
  3. it is not showing in my computer

    ReplyDelete
  4. This comment has been removed by the author.

    ReplyDelete
  5. Thanks the solution is Brilliant and easy
    Works like a charm !!

    ReplyDelete
  6. This is brilliant solution. You are a master mind, champ. Cheers!!

    ReplyDelete
  7. Hi
    - I had same problem but only resolved when the .pol file in the \User folder was renamed.

    ReplyDelete
  8. Hi,
    I have tried to rename the .pol file to .bakup but still getting the same error? any idea

    ReplyDelete