I'm using a Samba4 domain controller, and on the machines joined to the domain I'm seeing this message:
The processing of Group Policy failed. Windows attempted to read the file \\mydomain.org\sysvol\mydomain.org\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
Running gpupdate gives me the same error. If I open the run box and type notepad \\mydomain.org\sysvol\mydomain.org\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini, I get Notepad opened up with the file in it. The contents are these:
[General]
Version=14
Clearly the file exists, and is accessible (by the domain administrator, anyway). The mydomain.org name resovles to the IP address of my domain controller. If I run GPRESULT /H GPReport.html, the resulting file says:
Group Policy Infrastructure failed due to the error listed below.
Access is denied.
Note: Due to the GP Core failure, none of the other Group Policy components processed their policy. Consequently, status information for the other components is not available.
I've checked the ACL via smbcacls on the domain folder under the sysvol share, and got this output:
pi@dc-rpi1 ~ $ smbcacls //mydomain.org/sysvol mydomain.org -U [email protected]
Enter [email protected]'s password:
REVISION:1
CONTROL:SR|PD|DP
OWNER:MYDOMAIN\Administrator
GROUP:BUILTIN\Administrators
ACL:BUILTIN\Administrators:ALLOWED/OI|CI/FULL
ACL:BUILTIN\Server Operators:ALLOWED/OI|CI/READ
ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI/FULL
ACL:NT AUTHORITY\Authenticated Users:ALLOWED/OI|CI/READ
If I try to get the ACLs on the gpt.ini file itself, I get this:
pi@dc-rpi1 ~ $ smbcacls //mydomain.org/sysvol mydomain.org/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/gpt.ini -U [email protected]
Enter [email protected]'s password:
REVISION:1
CONTROL:SR|PD|DP
OWNER:MYDOMAIN\Domain Admins
GROUP:MYDOMAIN\Domain Admins
ACL:MYDOMAIN\Domain Admins:ALLOWED/OI|CI/FULL
ACL:MYDOMAIN\Enterprise Admins:ALLOWED/OI|CI/FULL
ACL:CREATOR OWNER:ALLOWED/OI|CI|IO/FULL
ACL:MYDOMAIN\Domain Admins:ALLOWED/OI|CI/FULL
ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI/FULL
ACL:NT AUTHORITY\Authenticated Users:ALLOWED/OI|CI/READ
ACL:NT AUTHORITY\ServerLogon:ALLOWED/OI|CI/READ
Why won't group policy processing work? Are the ACLs not working because my DC isn't running the right filesystem, or some other obscure configuration problem?
I ran
samba-tool ntacl sysvolreset, which took several seconds, and then re-ran thesmbcaclscommand. The output didn't change, but gpupdate no longer fails. Huh.I have experienced this before on my hybrid domain with Samab4 and Windows. What the issue ended up being, at least in my case, was the sysvol share was out of sync between domain controllers. In my case my syncing script had stopped working and one domain controller had GPO's the other one did not. I fixed the sync issue and everything returned to normal.
Hope this helps someone.