Invalid directory pathname trying to back up GPO

DFSR replication seems to be broken in my domain, and before starting to fix that, I wanted to take backups of the current Group Policy Objects. However, I am unable to back up the Default Domain Policy, as Group Policy Management -> Default Domain Policy -> Back up GPO simply fails with the error "An invalid directory pathname was passed", and PowerShell Backup-GPO fails with "Exception from HRESULT: 0x80005000".

I did find the earlier question "Diagnosing why a Group Policy Object is inaccessible", which does seem very similar (though the GPO is accessible through Group Policy Management insofar as being able to modify it). However, restoring the default permissions to the GPO as indicated using ADSI Edit didn't help. It didn't fail either; however, switching back to Group Policy Management and re-selecting the Default Domain Policy did note that the filesystem permissions were not in sync with Active Directory and offered to fix them, which I allowed. Even after this, backing up the GPO fails as above. (I subsequently went through all of the sub-folders under the GPO's CN, and reset them to default permissions as well, though I didn't notice any of them not being there already.)

dsacls "CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=my,DC=domain" does not (and did not) list any Deny rules (exact output), so I'm at a loss – what could be causing the access problems?

Update 2013-08-27:

As suggested by Douda, I looked at ProcMon dumps of powershell.exe trying to run Backup-GPO on the Default Domain Policy, and noticed a few significant differences compared to the dump Douda kindly provided:

In the very beginning, I get NAME NOT FOUND results from CreateFile operations on four directories immediately under the GPO directory \\servername\sysvol\domainname\Policies\{31b2f340-016d-11d2-945f-00c04fb984f9}: UserStaging, MachineStaging, UserOld, and MachineOld.
After Backup-GPO has read Registry.pol under MACHINE and USER, I get a NAME NOT FOUND result from a CreateFile operation on …\Adm
Finally, I also get an ACCESS DENIED result from …\MACHINE\microsoft\windows nt\SecEdit on a QuerySecurityFile operation. There is a hex value 0x20 as information in the details, but I don't know the significance of this.

I checked the permissions on the SecEdit folder referred to above (as well as CN=System/CN=Policies/CN={guid}/CN=Machine/CN=Microsoft/CN=Windows under ADSI Edit), and they seem to be permissive enough as far as I can tell. The results are essentially identical from the two DCs.

Best Answer

I will be honest, your issue is pretty unusual. I worked a lot with GPO and never saw this error. I might be wrong, but it seems that you're too focused on the ACLs side in your troubleshoot. As the issue is only related to your root GPO, I could suggest you to do some manual digging :

"manually" backup the GPO (copy the content of \servername\sysvol\domainname\Policies{31B2F340-016D-11D2-945F-00C04FB984F9}
compare hashs between different DC (might look stupid, but already happened to me and drove me crazy : Replication corruption)

Did you try to backup from a different DC to see if you reproduce the error on your whole domain ?

Best Answer

Related Solutions

Windows cannot access the file gpt.ini for GPO CN={31B2F340-016D-11D2-945F-00C04FB984F9}

Prevent access to specific drives from My Computer in Windows Server 2008 R2

Related Topic