当我在我的工作站上运行gpupdate时,我收到以下错误.
- Computer policy could not be updated successfully. The following errors were encountered:
- The processing of Group Policy Failed. Windows could not resolve the computer name. This could be caused by one of more of the following:
- a) Name Resolution failure on the current domain controller.
- b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).
- User Policy could not be updated successfully. The following errors were encountered:
- The processing of Group Policy Failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call Failed). Look in the details tab for error code and description.
- To diagnose the failure,review the event log or run GPRESULT /H GPReport.html from the command line to access information about Group Policy results.
运行gpresult / h给出用户没有RSoP数据
查看事件日志,我可以看到与gpupdate相关联的错误代码49 Invalid Credentials.但是,当我使用ldp.exe测试ldap绑定时,凭据可以正常工作.
有人见过像这样的问题吗?我把头发拉出来试图找出发生了什么.
我自己能解决这个问题.事实证明,本地计算机帐户缓存了(正确)失败的错误凭据.感谢@ greg-askew让我指向了正确的方向.对于那些偶然发现寻找解决方案的人:
>从https://technet.microsoft.com/en-us/sysinternals/pxexec.aspx下载PsExec(sysinternals的一部分)
>从提升的命令提示符运行PsExec.exe -i -s cmd.exe(这将在本地计算机帐户上下文中打开另一个命令窗口).
>从该窗口,运行rundll32.exe keymgr.dll,KRShowKeyMgr(这将打开带有缓存凭据列表的gui).
>在那个gui中,删除任何看起来可疑的凭据(在我的情况下,凭据是以我的PDC命名的).
从缓存中删除凭据后,它立即重新开始工作.