I am getting the following SCOM alert about “Active Directory GPO lookup failure” from one of our domain controllers (dc-server1) that is running on Windows Server 2003 OS. The rest of domain controllers are on Windows 2008 and 2012 (domain functional
level is 2003). I did enable UserEnv logging and attaching the userenv.log that I captured. Also attaching the events that appear to be relevant in the event logs on dc-server1.
I have a suspicion that this could be caused by another issue that we are experiencing, but not 100% sure, hence wanted to ask you to confirm. The other issue is: we have a domain account called "stuffadmin" which get locked up every 10 minutes or
so. Most likely there is a job or service running somewhere that has an old password for this account and it is locking the account with bad password requests. I tried to track it. From PDC (p-dc1) I traced it to the domain controller above (dc-server1), and
from there to a a server that is running "E:\Program Files (x86)\Spiceworks\spiceworks_desktop.exe" among other things. I wasn’t able to find the exact process or program that is trying to use that account. some of the event logs from below complain
about that specific account at the same time that the SCOM error was issued.
The SCOM alert and event logs are below, and
userenv.log and
userenv.bak can by downloaded by clicking on their names.
Alerts and Event Logs:
Machine account policy failure - Active Directory GPO lookup failure
Alert Description
Source: dc-server1
Full Path Name: dc-server1.TheCompany.com\dc-server1
Alert Rule: Machine account policy failure - Active Directory GPO lookup failure
Created: 5/5/2016 3:20:52 PM
Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this.
Knowledge: View additional knowledge...
Summary
UserEnv experienced an error applying Group Policy to the domain controller. Group Policy must be applied successfully for domain controllers to function properly because domain controllers get several critical permissions, such as Access this computer from
network, through policy. Because of the architecture of UserEnv, Microsoft Operations Manager (MOM) is unable to directly report the specific problem.
Sample Event: Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this.
Causes: This may indicate that the Active Directory® directory service has failed. Problems with replication are the main cause of this error.
Resolutions
To enable UserEnv logging, see Knowledge Base article 221833, “How to Enable User Environment Debug Logging in Retail Builds of Windows,” at http://go.microsoft.com/fwlink/?LinkId=25636. The log file provides details for the specific error.
External Knowledge Sources
• Microsoft Help and Support for Microsoft Windows Server 2003
• Microsoft Knowledge Base
--- Application Log ---
Event Type:
Error
Event Source:
Userenv
Event Category:
None
Event ID:
1030
Date:
5/5/2016
Time:
3:20:52 PM
User:
TheCompany\stuffadmin
Computer:
dc-server1
Description:
Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this.
Event Type:
Error
Event Source:
Userenv
Event Category:
None
Event ID:
1058
Date:
5/5/2016
Time:
3:20:52 PM
User:
TheCompany\stuffadmin
Computer:
dc-server1
Description:
Windows cannot access the file gpt.ini for GPO cn={D2192853-520B-42FC-86BC-D09381B1FA45},cn=policies,cn=system,DC=TheCompany,DC=com. The file must be present at the location <\\TheCompany.com\SysVol\TheCompany.com\Policies\{D2192853-520B-42FC-86BC-D09381B1FA45}\gpt.ini>.
(The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you. ). Group Policy processing aborted.
--- System Log ---
Event Type:
Warning
Event Source:
LSASRV
Event Category:
SPNEGO (Negotiator)
Event ID:
40960
Date:
5/5/2016
Time:
3:20:52 PM
User:
N/A
Computer:
dc-server1
Description:
The Security System detected an authentication error for the server cifs/p-dc1.TheCompany.com. The failure code from authentication protocol Kerberos was "The referenced account is currently disabled and may not be logged on to.
(0xc0000072)".
Data:
0000: 72 00 00 c0 r..À
--- Directory Service Log ---
Event Type:
Warning
Event Source:
NTDS Replication
Event Category:
Replication
Event ID:
1083
Date:
5/5/2016
Time:
3:35:58 AM
User:
NT AUTHORITY\ANONYMOUS LOGON
Computer:
dc-server1
Description:
Active Directory could not update the following object with changes received from the domain controller at the following network address because Active Directory was busy processing information.
Object:
CN=Workstation Adminstation,OU=Admins,OU=IT,OU=El Dorado,DC=TheCompany,DC=com
Network address:
a1cb9e05-9ec2-4c82-b344-dcf52d3760ef._msdcs.TheCompany.com
This operation will be tried again later.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
flexible, this is a simple and expandable pattern to
start a BizTalk integration app with. “
