Windows – Error – ” Windows cannot access the file gpt.ini for GPO”

Background

Started receiving an error in the Event Viewer. The error reads “Windows cannot access the file gpt.ini for GPO“.

The error is sourced to Userenv.

Error List

The error has been flooding our event viewer and it looks like this.

listofErrors

 

Error Message

Image

Error

 

Text


Windows cannot access the file gpt.ini for GPO CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=LABDOMAIN,DC=com. The file must be present at the location <\\labdomain.com\sysvol\labdomain.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>. (Configuration information could not be read from the domain controller, either because the machine is unavailable, or access has been denied. ). Group Policy processing aborted. 

What is gpt.ini?

gpt.ini is a configuration file for Group Policy.

 

Troubleshooting

\\DOMAIN-NAME\SYSVOL fails, Domain-Controller\SYSVOL works

Googling suggests confirming that trying to access \\domain-name\SYSVOL fails, while attempting a hit on \\COMPUTER\SYSVOL works.

\\DOMAIN-NAME\SYSVOL fails

Windows – Explorer

When we try to access \\domain-name\SYSVOL from Windows Explorer, here is the message we received.

Domain-SYSVolIsNotAccessible

Command Line

On the other hand, when we try accessing from Command Prompt, we get the error pasted below:

Query

dir \\domain-name\SYSVOL

Response

Image

InformationCanNotbeRead

Textual

Configuration information could not be read from the domain controller, either because the
machine is unavailable, or access has been denied.

Resolution

Microsoft Support

Best help came from:

  1. You cannot open file shares or Group Policy snap-ins on a domain controller
    https://support.microsoft.com/en-us/kb/839499

Summary

A quick summary of the help is to do the following:

  1. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
    • Set enablesecuritysignature to 1
    • Set requiresecuritysignature to 0
  2. Restart affected services
    • Server Service
    • Workstation Service

 

Actual Steps

Effect Registry Change

Here are the steps we will take to effect the registry change.

Capture current settings

Command Line


REM HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
set _computer=LABDB
set _subtree=HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
set _subtreeTargeted=\\%_computer%\%_subtree% 
set _entry=signature

REG QUERY %_subtreeTargeted% | find "%_entry%"

 

Make changes

Command Line


@ECHO OFF
REM HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
set _computer=LABDB
set _subtree=HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
set _subtreeTargeted=\\%_computer%\%_subtree% 
set _entry=requiresecuritysignature
set _value=0

ECHO BEFORE
ECHO ------
REG QUERY %_subtreeTargeted% /v %_entry%

REG ADD %_subtreeTargeted% /v %_entry% /t REG_DWORD /d %_value% /f

ECHO AFTER
ECHO ------
REG QUERY %_subtreeTargeted% /v %_entry%

 

Restart affected services

Using the services applet restarted Server and Workstation Service.

Anti-Virus

AntiVirus applications can and will cause blind problems.  In this case, it is important to exclude the C:\Windows\Sysvol folders on Active Directory servers.

Microsoft – System Center Endpoint Protection

ExcludeFileLocations

 

Summary

Our problem seems to be related to Security Signatures.  There are two sides to it, enabled and required.

In our sample case, both enabled and required were previously set to 1.

We kept the enabled requirement, but alleviated the required constraint.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s