Cannot backup GPO – Error Invalid Pointer

 

Symptoms:

When you try to backup GPO via GPMC.MSC you receive an error message that contains the description

Backup of GPO failed. Error [Invalid pointer]

When using Powershells Backup-GPO command the result is even more dubious:

Object reference not set to an instance of an object.

 

Cause:

Although searching for “Invalid pointer” in internet returns the proper result (first reference below) the description in this article is insufficient and the workaround is also not always optimal.

The problem is caused by user principal name (aka Pre-2000 user logon name under Account options in ADUC user properties) that coincides with well-known SIDs.

The problem with the article itself is that is not explaining where to search for the user of high renown.

 

Resolution:

  1. Typically you will start to search in the GPO settings:

First create a report for the GPO

Get-GPOReport -Name “Default Domain Policy” -ReportType XML -Path .\Desktop\DDPReport.xml

Then search for all user entries, e.g. using Notepad++ or something like the script below

Select-String -path “.\Desktop\DDPReport.xml” -Pattern “Name xmlns=`”http://www.microsoft.com/GroupPolicy/Types`”” -SimpleMatch -Context 2,1

If the output returns some values matching the well-known SIDs in SDDL then check if they are in the SecurityDescriptor namespace or under Computer or User namespaces. The former can be redeemed through editing the security settings for the GPO itself (Edit… / Right-click on the policy name in the GP Management Editor / Select Properties / Security). The screenshot below shows a typical example of user with alias “PS” that is reserved from SDDL for the Principal self.

If the matches are under Computer or User namespaces then you will have to adjust the policy settings themselves, i.e. go under Computer Configuration or User Configuration and manually fix things.

Only in case that the user SHOULD be left where he is, you are required to change his user logon name. In case that you either don’t need this user, or you can put it in security group, this workaround should be preferred.

  1. Rarely it is possible that the GPO report doesn’t output anything useful:

Enable GPMC logging. This is by default off. You have to switch it to verbose mode, since the problem described here is not caught in error mode. Either copy and paste the text below to a .reg file or create the values manually

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Diagnostics]

“gpmgmttracelevel”=dword:00000002

“gpmgmtlogfileonly”=dword:00000001

Close and re-open the management console. Reproduce the problem. Open %TEMP% and look for gpmgmt.log. Mein was under %TEMP%\2.

Search for lines including [WARNING] and google around for similar symptoms.

 

References:

https://support.microsoft.com/en-us/kb/867462

https://technet.microsoft.com/en-us/library/cc737379(v=ws.10).aspx

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s