Explanation: a lot of junk has been added to our Default Domain Policy & Default Domain Controller Policy. I was hoping to reset them with dcgpofix.exe. But obviously the first thing I did was (a) print them out, and (b) back them up. Obviously.
Except I couldn’t back up the DDC policy. Have 83 GPOs, and could only back up 82 successfully. Brilliantly, the error was “Backup of GPO failed. Error [Invalid pointer]”, which is hugely helpful.
This blog post – https://moodjbow.wordpress.com/2015/10/28/cannot-backup-gpo-error-invalid-pointer/ – got me pointed quite a long way in the right direction.
- Firstly, it’s the only place that seems to mention the fact that the group policy logging keys have to be DWORDs.
- Secondly it mentions that the cause could be erroneous user accounts/ SIDs (unlike https://support.microsoft.com/en-us/help/3005420/gpmc-backup-of-a-gpo-fails-together-with-an-invalid-pointer-error-mess which bangs on about DNS- my fix had nothing to do with DNS).
- Thirdly, the last line on moodjbow – “Search for lines including [WARNING] and google around for similar symptoms” – was precisely what led me to fix the issue once I’d got gpmgmt.log up and running.
The gpmgmt.log was reporting a couple of unresolvable SIDs and after hunting around pointlessly for SID convertion tools, I thought I’d have a dig about in some BUILTIN groups and lo and behold, there was a dodgy, legacy user in BUILTIN\Administrators. I deleted this, re-ran the backup and one of the warnings disappeared (tho’ the user has reappeared in BUILTIN\Administrators).
There was still one warning block left, which was:
“[3258.150c] 11/30/2017 13:57:30:243 [VERBOSE] ResolveTrustee(): Resolving account <DOMAIN\user> User Name <(null)>.
[3258.150c] 11/30/2017 13:57:30:259 [VERBOSE] ResolveTrustee(): Resolving account <S-1-5-21-1777476757-2052732148-4547331-26365> Domain Controller <(null)>.
[3258.150c] 11/30/2017 13:57:30:275 [VERBOSE] ResolveTrustee(): Account name is <user>
[3258.150c] 11/30/2017 13:57:30:290 [VERBOSE] CGPMBackupData::AddKnownSecurityPrincipal: SecurityPrincipal Added is DOMAIN\(null)
[3258.150c] 11/30/2017 13:57:30:306 [WARNING] CGPMBackupData::AddKnownSecurityPrincipal: GetFullAcctNameEx Failed with 0x80004003
[3258.150c] 11/30/2017 13:57:30:306 [WARNING] CGPMBackupData::PutSID: AddKnownSecurityPrincipal of S-1-5-21-1777476757-2052732148-4547331-26365 Failed with 0x80004003
[3258.150c] 11/30/2017 13:57:30:322 [WARNING] ProcessNameList: PutSID failed”
The user account in question had been disabled for ages withouth causing any apparent problems, so I just deleted it and the backup worked.
Time to fix? Actual remedial work was about 10 minutes, time spent digging around through Bing and Google was about 4 hours.