One of the computers no longer applied the new Group Policy settings. For diagnostics, I manually updated the GPO parameters using the command gpupdate /force and saw this error in the console:
Failed to update computer policy successfully. The following errors were encountered: An error occurred while processing Group Policy. Windows could not apply registry-based policy settings for GPO 'LocalGPO'. Group Policy settings cannot be applied until this situation is corrected. For information about the name and path of the file that caused this error, see the details for this event.
Computer policy could not be updated successfully. The following errors were encountered: The processing of Group Policy failed. Windows could not apply the registry-based policy settings for the Group Policy object LocalGPO. Group Policy settings will not be resolved until this event is resolved. View the event details for more information on the file name and path that caused the failure.
At the same time, an event with EvetID 1096 appears in the System log with the same description (The processing of Group Policy failed):
Log Name: System
Source: Microsoft-Windows-GroupPolicy
Event ID: 1096 Level: Error
User: SYSTEM
If you try to diagnose GPO application using the gpresult (gpresult.exe /h c:\tempt\gpresultreport.html) command, you can see that only the settings from the Group Policy Registry - section are not applied Failed :
Registry failed due to the following error listed below. Additional information may have been logged. Review the Policy Events tab in the console or the application event log.
It turns out that only GPOs with the settings of CSE (client-side extension) group policy client extensions, which are responsible for managing registry keys through GPO, are not applied to the computer.
The Registry client-side extension was unable to read the registry.pol file . Most likely the file is corrupted (we recommend checking the file system for errors using chkdsk). To recreate this file, go to c:\Windows\System32\GroupPolicy\Machine and rename it to registry.bak.
You can rename a file from the command line:
cd "C:\Windows\System32\GroupPolicy\Machine"
ren registry.pol registry.bak
Update the group policy settings with the command:
gpupdate /force
Windows should recreate the registry.pol file (local GPO settings will be reset) and successfully apply all GPO settings.
If you see Event ID 1096 (The processing of Group Policy failed. Windows could not apply the registry-based policy settings for the Group Policy object LDAP://) in the log with ErrorCode 13 and description “ The data is invalid ”, then the problem is related to the domain GPO indicated in the error.
Copy the policy GUID and find the GPO name using the PowerShell command:
Get-GPO -Guid 19022B70-0025-470E-BE99-8348E6E606C7
- Run the Domain GPO Management Console (gpmc.msc) and verify that the policy exists;
- Check that there are registry.pol and gpt.ini files in the policy's SYSVOL directory and they are readable (check NTFS permissions);
- Check that the version of the policy on different domain controllers is the same (check that the domain and replication in AD work correctly);
- Delete the GPO files in SYSVOL on the domain controller from which the client is getting the policy ( $env:LOGONSERVER ) and wait for it to replicate from the neighboring DC
- If the previous methods do not help, recreate the GPO or restore it from a backup.