<p>One of our clients reported that newly created policies are not being applied on several member servers in a domain. I have run <strong>gpupdate</strong><strong> /force</strong> command and checked logs on the server. I have discovered an error in applying group policy objects on the problematic server.</p>
<p>What is interesting, there was no error reported in applying Group Policy objects.</p>
<p><a href="https://www.wincert.net/wp-content/uploads/2018/03/gp_update.png"><img class="alignnone wp-image-2472 size-full" title="cannot access template" src="https://www.wincert.net/wp-content/uploads/2018/03/gp_update.png" alt="cannot access template" width="524" height="62" /></a></p>
<p>The error was:</p>
<p>Security policy cannot be propagated. <strong>Cannot access the template. Error code = 3</strong>. Along with this information, there was UNC path to the policy object that was not found on the DC.</p>
<p><a href="https://www.wincert.net/wp-content/uploads/2018/03/gp_update-2-1.png"><img class="alignnone wp-image-2475 size-full" title="cannot access template" src="https://www.wincert.net/wp-content/uploads/2018/03/gp_update-2-1.png" alt="cannot access template" width="671" height="516" /></a></p>
<p>After that, I have checked the path specified in the error, but I wasn&#8217;t able to access it as this policy was missing on that particular Domain Controller. When I have compared the same path on 2 different domain controllers I have found out that this &#8220;problematic&#8221; DC doesn&#8217;t have all the required policies in its SYSVOL folder. 2 policies were missing.</p>
<p><a href="https://www.wincert.net/wp-content/uploads/2018/03/gp_update-3.png"><img class="alignnone wp-image-2476 size-full" title="cannot access template" src="https://www.wincert.net/wp-content/uploads/2018/03/gp_update-3.png" alt="cannot access template" width="601" height="163" /></a><a href="https://www.wincert.net/wp-content/uploads/2018/03/gp_update-4.png"><img class="alignnone wp-image-2477 size-full" title="cannot access template" src="https://www.wincert.net/wp-content/uploads/2018/03/gp_update-4.png" alt="cannot access template" width="532" height="112" /></a></p>
<p>I have run <strong>repadmin /syncall </strong>command on the problematic DC in order to see if there are any issues in replication between domain controllers.</p>
<p>The replication went without errors, but the <strong>SYSVOL</strong> folder still wasn&#8217;t synched. In order to temporarily fix this problem, I had to change the Domain Controller this server was pointed to.</p>
<p>To Switch Domain Controller please do the following:</p>
<p>Run <strong>CMD</strong> on the server where group policy is not applying properly. Now type:</p>
<p><strong> /Server:%Servername% /SC_RESET:%DomainName\DomainControllerName%</strong></p>
<p>Change <strong>%Servername%</strong> and <strong>%DomainName\DomainControllerName%</strong> with your data, then run <strong>gpupdate /force </strong>again. The policy should be applied now and there should be no more errors in the event viewer regarding this issue.</p>
<p>Once I discover the source of the problem with this Domain Controller I will update the post.</p>

Cannot access template. Error code = 3
