Possible GPO errors and troubleshooting steps

The following are a few errors that might occur when backing up GPOs and related settings. Refer to the troubleshooting guide below to rectify these errors.

Note: RecoveryManager Plus backs up the Group Policy Administrative Templates folder by executing PowerShell commands remotely from the RecoveryManager Plus server using the Windows Remote Management (WinRM) service. The backed-up files are temporarily stored in the domain controller's ADMINS share. They are then moved to the RecoveryManager Plus server.

  1. Remote directory creation failed
  2. Session state is broken / No valid session / PsSession failed
  3. Insufficient privilege
  4. Command not found
  5. GPO was not found
  6. Object reference not set to an instance of an object
  7. The system cannot open the specified device or file
  8. Error HRESULT E_FAIL has been returned from a call to a COM component
  9. The library, drive, or media pool is empty
  10. The specified directory service attribute or value does not exist
  11. The system cannot find the path specified
  12. The data is invalid
  13. Unknown errors

  1. Remote directory creation failed

    2. This error occurs when the service account does not have access to the ADMINS share on the domain controller.

    To fix this issue, perform the following steps:

    1. Make sure the service account is a member of AD's built-in Administrators group.
    2. Log in to the RecoveryManager Plus server with the service account and check for the ADMINS share access in File Explorer:

      \\<dc-name>\ADMIN$\

    3. If the above methods do not work, restart RecoveryManager Plus and trigger another backup.

  2. Session state is broken / No valid session / PsSession failed

    3. To fix this issue, reboot RecoveryManager Plus.

  3. Insufficient privilege

    4. This error might occur due to the following reasons:

    • The WinRM service is not running on the domain controller:

      To fix this issue, start the WinRM service on the domain controller using the Enable-PSRemoting -Force PowerShell command.

    • The domain controller could not be trusted by the client:

      To fix this issue, run the following PowerShell command on the RecoveryManager Plus server:

      winrm s winrm/config/client '@{TrustedHosts="<dc1-name>,<dc2-name>"}'

      Replace <dc1-name> and <dc2-name> with the actual domain controllers that were used during the RecoveryManager Plus account configuration.

    • The ports required for the WinRM listener on the domain controller might be blocked:

      To fix this issue, make sure the following inbound ports on the domain controller are open: 389, 5985, 5986, and 445. To test the connection to the domain controller from the RecoveryManager Plus server, run the following PowerShell command:

      tnc <DC-name> -port <port-number>

    • The configured service account may not have the necessary permissions:

      To fix this issue, add the service account to AD's built-in Administrators group.

  4. Command not found

    5. This issue occurs when the group policy module is not present in the DC. 

    Note: If you are using a Window Server 2008 DC, contact RecoveryManager Plus support to resolve your issue. For all other versions of DCs, follow the steps listed below. 

    Check if group policy module is installed in the DC. If not, install it by following the steps listed below.

    • Log in to the DC and launch Server Manager.
    • In Server Manager, select Features in the left pane and then click Add Features in the Features pane. This starts the Add Features Wizard.
    • On the Select Features page, select Group Policy Management, click Next and then click Install.

  5. GPO was not found

    6. This issue occurs when the GPO that is to be backed up is not  found in the environment. This might be due to orphaned GPOs being present in the environment.

    • Log in to the DC and open GPMC. Check if the particular GPO is available and try again.

  6. Object reference not set to an instance of an object

    7. This behavior occurs if a user or a group name that is referenced in a Group Policy Object corresponds to an abbreviation that is defined for a built-in group that is used by the Security Descriptor Definition Language (SDDL) format. For example, this behavior occurs if you name a user or a group "SA." The "SA" abbreviation corresponds to the SDDL security identifier (SID) string that represents the built-in Schema Admins group.

    If a user name or a group name matches an SDDL abbreviation that is defined for a built-in group, a function that is called by the Group Policy Management Console treats the user name or the group name as a SID. Therefore, the backup fails.

    To fix this issue, 

    • Use the Active Directory Users and Computers snap-in to change the name of the user or the group that corresponds to one of the abbreviations that is used by SDDL.

  7. The system cannot open the specified device or file

    8. This error occurs when the account used to configure RecoveryManager Plus does not have privileges to access the GPO containers.

    • Make sure that the account has sufficient privileges to access the GPO containers.

  8. Error HRESULT E_FAIL has been returned from a call to a COM component

    9. This error occurs when the specific GPO is corrupted or when it cannot be copied or imported to GPMC.

    Contact Microsoft support or delete and recreate the GPO.

  9. The library, drive, or media pool is empty

    10. This error occurs when a Folder Redirection Policy is set for a GPO. This issue occurs due to an SID change in machines running Windows Server 2003 or higher.

    These issues occur because the Folder_Redirection section of the .ini files is larger than 32,767 characters. However, the limit for the combined SID list for all folders is 32,767 characters. For more information on this issue, click here.

    To solve this issue,

    • Split the policy into smaller policies. Make sure that the total size of each policy file is smaller than the 32,767 character limit.

  10. The specified directory service attribute or value does not exist

    11. This error might occur if the service account does not have enough privileges to read the specific Group Policy container.

    To fix this issue, perform the following steps:

    1. Run a backup schedule after assigning the necessary permissions to the service account using the Group Policy Management Console (GPMC).
    2. If the backup fails again, or if the GPO was not found in the GPMC, find the appropriate container ID or distinguished name from the backups.

      3. specified directory service attribute

    3. To find the container, log in to the domain controller with the service account. The container will appear in AD Service Interfaces Editor (ADSI Edit) under Default naming context > DC=<domain-name>,DC=com > CN=System > CN=Policies.

      4. specified directory service attribute

    4. Make the GPO available in the GPMC. If you do not require that GPO, delete it from here, and it will stop reappearing in RecoveryManager Plus' GPO backup report pop-up.
  11. The system cannot find the path specified.

    12. This issue occurs when the GPO container is not present in the SYSVOL folder.

    To fix this issue, try either of the following steps.

    • If you have multiple DCs in your domain, you can restore the GPO container from another DC.
    • Re-build the missing GPO Policy folder structure.

  12. The data is invalid.

    • %ALLUSERSPROFILE%\Application Data\Microsoft\Group Policy\History contains a copy of the preferences contained in GPOs:

      If the copy process fails, an invalid XML file may be left in one of the subdirectories, thus generating this error. To fix this issue, create a clean copy of the GPO by following the steps listed below:

      1. Log in to the domain controller and open File Explorer.
      2. Navigate to %ALLUSERSPROFILE%\Application Data\Microsoft\Group Policy\History.
      3. Delete all subdirectories.
      4. Open Command Prompt and execute the command gpupdate.
      5. Verify that the subdirectories appear under

        %ALLUSERSPROFILE%\Application Data\Microsoft\Group Policy\History.

  13. Unknown errors.

    14. Contact support@recoverymanagerplus.com to resolve this issue.
Navigate to next Previous Topic Next Topic Navigate to next

Copyright © 2023, ZOHO Corp. All Rights Reserved.