I have 4 Windows 7 Professional Computers in a domain on Windows Server 2012 Essentials. Computer-2 and Computer-3 are identical hardware.

Computer-1 - oldest of the bunch, everything works fine

Computer-2 - Group Policy for users applies just fine, folder redirection and anything else I attempt to do with GPO for users works flawlessly. The problem is that it fails to apply anything from the policies that apply to the computer.

Computer-3 - Identical problems to Computer-2. I cloned the hdd from this computer and put the clone in Computer-2 before I joined either of them to the server.

Computer-4 - Newest rig, everything works fine.

I used gpupdate /force on both computer-2 and computer-3, and on both I get event in the event log. I used gpresult /h and both computers give me a report like this

Group Policy Infrastructure failed due to the error listed below.

Access is denied. 

Note: Due to the GP Core failure, none of the other Group Policy components processed their policy. Consequently, status information for the other components is not available.

Additional information may have been logged. Review the Policy Events tab in the console or the application event log for events between 2/24/2013 9:22:32 PM and 2/24/2013 9:22:33 PM.

I found some instructions for testing name resolution for the server in nslookup

C:\Windows\system32>nslookup
Default Server:  UnKnown
Address:  fe80::a4a4:ca5c:25ac:4b93

> set q=srv
> _ldap._tcp.dc._msdcs.COMPTONIRR.local
Server:  UnKnown
Address:  fe80::a4a4:ca5c:25ac:4b93

_ldap._tcp.dc._msdcs.COMPTONIRR.local   SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   = office-server.comptonirr.local
office-server.comptonirr.local  internet address = 10.0.1.8
office-server.comptonirr.local  internet address = 10.0.1.200

and everything seems to check out.

If it helps, both computer-2 and computer-3 show "Not Applicable" under the Group Policy column in the Devices tab in the Dashboard and periodically pop up with a computer monitoring error:

Can only partially assess the health of this computer. The failing components are: DevicePeoviderReporting!DomainJoinStatusInfo

I then removed Computer-3 from the domain, changed its name to Computer-5, and rejoined it with the server 2012 connector software. The same problems occurred.

More details - these 3 messages appear frequently on both computer-2 and the newly designated Computer-5

Log Name:      System
Source:        Microsoft-Windows-GroupPolicy
Date:          2/25/2013 6:12:21 PM
Event ID:      1055
Task Category: None
Level:         Error
Keywords:      
User:          SYSTEM
Computer:      COMPUTER-5.COMPTONIRR.local
Description:
The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following: 
a) Name Resolution failure on the current domain controller. 
b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-GroupPolicy" Guid="{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}" />
    <EventID>1055</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>1</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2013-02-26T00:12:21.664926800Z" />
    <EventRecordID>8689</EventRecordID>
    <Correlation ActivityID="{A6B3851A-1280-42F1-A35B-A5A6DD3ABACE}" />
    <Execution ProcessID="124" ThreadID="1152" />
    <Channel>System</Channel>
    <Computer>COMPUTER-5.COMPTONIRR.local</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData>
    <Data Name="SupportInfo1">1</Data>
    <Data Name="SupportInfo2">1632</Data>
    <Data Name="ProcessingMode">2</Data>
    <Data Name="ProcessingTimeInMilliseconds">1529</Data>
    <Data Name="ErrorCode">5</Data>
    <Data Name="ErrorDescription">Access is denied. </Data>
  </EventData>
</Event>

Log Name:      System
Source:        LsaSrv
Date:          2/25/2013 6:12:21 PM
Event ID:      40961
Task Category: None
Level:         Warning
Keywords:      
User:          SYSTEM
Computer:      COMPUTER-5.COMPTONIRR.local
Description:
The Security System could not establish a secured connection with the server ldap/OFFICE-SERVER.COMPTONIRR.local/COMPTONIRR.local@COMPTONIRR.LOCAL. No authentication protocol was available.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="LsaSrv" Guid="{199FE037-2B82-40A9-82AC-E1D46C792B99}" />
    <EventID>40961</EventID>
    <Version>0</Version>
    <Level>3</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2013-02-26T00:12:21.591922600Z" />
    <EventRecordID>8688</EventRecordID>
    <Correlation />
    <Execution ProcessID="492" ThreadID="600" />
    <Channel>System</Channel>
    <Computer>COMPUTER-5.COMPTONIRR.local</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData>
    <Data Name="Target">ldap/OFFICE-SERVER.COMPTONIRR.local/COMPTONIRR.local@COMPTONIRR.LOCAL</Data>
  </EventData>
</Event>

Log Name:      System
Source:        NETLOGON
Date:          2/25/2013 6:12:10 PM
Event ID:      5719
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      COMPUTER-5.COMPTONIRR.local
Description:
This computer was not able to set up a secure session with a domain controller in domain COMPTONIRR due to the following: 
There are currently no logon servers available to service the logon request. 
This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.  

ADDITIONAL INFO 
If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="NETLOGON" />
    <EventID Qualifiers="0">5719</EventID>
    <Level>2</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2013-02-26T00:12:10.000000000Z" />
    <EventRecordID>8601</EventRecordID>
    <Channel>System</Channel>
    <Computer>COMPUTER-5.COMPTONIRR.local</Computer>
    <Security />
  </System>
  <EventData>
    <Data>COMPTONIRR</Data>
    <Data>%%1311</Data>
    <Binary>5E0000C0</Binary>
  </EventData>
</Event>

Hi,

1. On the DC check the SYSVOL folder ACL list, make sure there is no Deny permission on the problematic computer in it.
2. On the problematic computers, check the Group Policy Event log for any error/message.
3. Collect Gpsvc log on the clients for analyzing:
http://blogs.technet.com/b/mempson/archive/2010/01/10/userenvlog-for-windows-vista-2008-win7.aspx

Regards,
Cicely

1. No Deny permissions on SYSVOL. In fact I have even completely changed the name of the problematic computer and rejoined it to the domain and issue prevails.

2. The only group policy errors I got are eventid 1055 in the first post

3. http://sdrv.ms/V8fT7m

Hi,

I couldn't open Gpsvc log with the link. What's the error code of the event 1055?

Event ID 1055 Group Policy Preprocessing (Security)
http://technet.microsoft.com/en-us/library/cc727272(v=WS.10).aspx

Regards,
Cicely

Hi there demonspork, did you ever resolve this issue? I am having exactly the same symptoms, and cannot figure this out...

No. My solution was re-installing the machines in question.

OK! I think I have finally figured out what was going on here, and I have resolved the issue. Writing this down here for future reference.

The root problem was a rogue cached credential under the Local System account. This was preventing the Local System account from logging on to the domain using the domain computer account. I think the rogue credential was a lingering item from my prior home network configuration using Windows Home Server 2011.

To resolve the issue, I had to find and delete the rogue credential under the Local System account. This is what I did:

1. Use SysInternals PsExec to open a command prompt under the Local System account [http://technet.microsoft.com/en-us/sysinternals/bb897553]:
   From an Administrator command prompt: PsExec.exe -i -s cmd.exe
2. Open the Stored User Names and Passwords app under the Local System account:
   From the System account command prompt: rundll32.exe keymgr.dll, KRShowKeyMgr
3. You should now see the credentials that are cached under the Local System account. Review the list for rogue suspects, and remove them. For me, this was straightforward. There were two credentials listed: one rogue cred (from my old WHS2011 config I suspect), and a second called virtualapp/didlogical. When I reviewed the credentials on machines that were working, they only had the virtualapp/didlogical credential listed.

I removed the rogue credential, and then gpupdate worked like a charm! Also, running klist -li 0x3e7 now shows a nice healthy set of Kerberos tickets for the Local System account. All is good.

I hope this saves someone else a bunch of time in future.

BAM. You knocked it out of the ballpark. My situation I had installed windows server 2012 Essentials, and the first computer I connected to it, but then we decided to change the domain name, which doesn't work right on server 2012 essentials unless you re-install and go through the setup again. Then the next time I installed I connected it again and it must have kept the credentials somehow, causing this glitch. Both computers had it because I made one from the image of the other. I did those steps and it worked perfectly.