Group Policy File Access
Group Policy processing requires network connectivity to one or more domain controllers. The Group Policy service reads information from Active Directory and the sysvol share located on a domain controller. The absence of network connectivity prevents Group Policy from applying to the user or computer.
Correct connectivity to the Group Policy template
The Group Policy service logs the name of the domain controller and the error code. This information appears on the Details tab of the error message in Event Viewer. The error code (displayed as a decimal) and error description fields further identify the reason for the failure. Evaluate the error code with the list below:
Error code 3
Error code 5
Error code 53
Error code 3 (The system cannot find the path specified)
This error code usually indicates that the client computer cannot find the path specified in the event.
To test client connectivity to the domain controller's sysvol:
Identify the domain controller used by computer. The domain controller name is logged in the details of the error event.
Identify if failure happened during user or computer processing. For user policy processing, the User field of the event will show a valid user name; for computer policy processing, the User field will show "SYSTEM".
Compose full network path to the gpt.ini as \\<em><dcName></dcName></em>\SYSVOL\<<em>domain</em>>\Policies\<<em>guid</em>>\gpt.ini where <<em>dcName</em>> is the name of the domain controller, <<em>domain</em>> is the name of the domain, and <<em>guid</em>> is the GUID of the policy folder. All of this information appears in the event.
Verify you can read gpt.ini using the full network path obtained in the previous step. To do this, launch a command window and type <file_path></file_path>, where <file_path></file_path> is the path constructed in the previous step, and press ENTER. NOTE: You must launch this command as the user or computer whose credentials previously failed.
Follow Network troubleshooting procedures to diagnose the problem further.
Error code 5 (Access is denied)
This error code usually indicates that the user or computer does not have the appropriate permissions to access the path specified in the event.
On the domain controller: Ensure the the user and computer have appropriate permission to read the path specified in the event.
To test computer and user credentials:
Log off and reboot the computer.
Log on the computer with the domain credentials previously used.
Error code 53 (The network path was not found)
This error code usually indicates that the computer cannot resolve the name in the provided network path.
To test network path name resolution:
Identify the domain controller used by the computer. The name of the domain controller is logged in the details of the error event.
Try to connect to the netlogon share on the domain controller using the path \\<dcName>\netlogon where <dcName> is the name the name of the domain controller in the error event.
Target | Microsoft.Windows.GroupPolicy.2008.Runtime | ||
Parent Monitor | System.Health.AvailabilityState | ||
Category | StateCollection | ||
Enabled | True | ||
Alert Generate | True | ||
Alert Severity | MatchMonitorHealth | ||
Alert Priority | Normal | ||
Alert Auto Resolve | True | ||
Monitor Type | Microsoft.Windows.SingleEventLogManualReset2StateMonitorType | ||
Remotable | True | ||
Accessibility | Public | ||
Alert Message |
| ||
RunAs | Default |
<UnitMonitor ID="Microsoft.Windows.GroupPolicy.2008.Runtime.GroupPolicyPreprocessingNetworking.System.CorrectconnectivitytotheGroupPolicytemplate.EventBased.UnitMonitor" Accessibility="Public" Enabled="onEssentialMonitoring" Target="Microsoft.Windows.GroupPolicy.2008.Runtime" ParentMonitorID="SystemHealth!System.Health.AvailabilityState" Remotable="true" Priority="Normal" TypeID="Windows!Microsoft.Windows.SingleEventLogManualReset2StateMonitorType" ConfirmDelivery="true">
<Category>StateCollection</Category>
<AlertSettings AlertMessage="Microsoft.Windows.GroupPolicy.2008.Runtime.GroupPolicyPreprocessingNetworking.System.CorrectconnectivitytotheGroupPolicytemplate.EventBased.UnitMonitor.AlertMessage">
<AlertOnState>Error</AlertOnState>
<AutoResolve>true</AutoResolve>
<AlertPriority>Normal</AlertPriority>
<AlertSeverity>MatchMonitorHealth</AlertSeverity>
<AlertParameters>
<AlertParameter1>$Data/Context/EventDescription$</AlertParameter1>
</AlertParameters>
</AlertSettings>
<OperationalStates>
<OperationalState ID="ManualReset" MonitorTypeStateID="ManualResetEventRaised" HealthState="Success"/>
<OperationalState ID="NegativeHealthState" MonitorTypeStateID="EventRaised" HealthState="Error"/>
</OperationalStates>
<Configuration>
<ComputerName>$Target/Host/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>
<LogName>System</LogName>
<Expression>
<And>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>PublisherName</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>Microsoft-Windows-GroupPolicy</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>1058</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</And>
</Expression>
</Configuration>
</UnitMonitor>