Group policy oddities

Explanation: a lot of junk has been added to our Default Domain Policy & Default Domain Controller Policy. I was hoping to reset them with dcgpofix.exe. But obviously the first thing I did was (a) print them out, and (b) back them up. Obviously.

Except I couldn’t back up the DDC policy. Have 83 GPOs, and could only back up 82 successfully. Brilliantly, the error was “Backup of GPO failed. Error [Invalid pointer]”, which is hugely helpful.

This blog post – – got me pointed quite a long way in the right direction.

  1. Firstly, it’s the only place that seems to mention the fact that the group policy logging keys have to be DWORDs.
  2. Secondly it mentions that the cause could be erroneous user accounts/ SIDs (unlike which bangs on about DNS- my fix had nothing to do with DNS).
  3. Thirdly, the last line on moodjbow – “Search for lines including [WARNING] and google around for similar symptoms” – was precisely what led me to fix the issue once I’d got gpmgmt.log up and running.

The gpmgmt.log was reporting a couple of unresolvable SIDs and after hunting around pointlessly for SID convertion tools, I thought I’d have a dig about in some BUILTIN groups and lo and behold, there was a dodgy, legacy user in BUILTIN\Administrators. I deleted this, re-ran the backup and one of the warnings disappeared (tho’ the user has reappeared in BUILTIN\Administrators).

There was still one warning block left, which was:

“[3258.150c] 11/30/2017 13:57:30:243  [VERBOSE] ResolveTrustee(): Resolving account <DOMAIN\user> User Name <(null)>.
[3258.150c] 11/30/2017 13:57:30:259  [VERBOSE] ResolveTrustee(): Resolving account <S-1-5-21-1777476757-2052732148-4547331-26365> Domain Controller <(null)>.
[3258.150c] 11/30/2017 13:57:30:275  [VERBOSE] ResolveTrustee(): Account name is <user>
[3258.150c] 11/30/2017 13:57:30:290  [VERBOSE] CGPMBackupData::AddKnownSecurityPrincipal: SecurityPrincipal Added is DOMAIN\(null)
[3258.150c] 11/30/2017 13:57:30:306  [WARNING] CGPMBackupData::AddKnownSecurityPrincipal: GetFullAcctNameEx Failed with 0x80004003
[3258.150c] 11/30/2017 13:57:30:306  [WARNING] CGPMBackupData::PutSID: AddKnownSecurityPrincipal of S-1-5-21-1777476757-2052732148-4547331-26365 Failed with 0x80004003
[3258.150c] 11/30/2017 13:57:30:322  [WARNING] ProcessNameList: PutSID failed”

The user account in question had been disabled for ages withouth causing any apparent problems, so I just deleted it and the backup worked.

Time to fix? Actual remedial work was about 10 minutes, time spent digging around through Bing and Google was about 4 hours.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s