Reply To: How To Fix The "Security Policy Cannot Be Propagated" Event 1001 SceCli

IT Support Forum Forums Active Directory Group Policy Troubleshooting How To Fix The "Security Policy Cannot Be Propagated" Event 1001 SceCli Reply To: How To Fix The "Security Policy Cannot Be Propagated" Event 1001 SceCli

#1883
ajdsi
Participant

I had this issue with the same error code on our Default Domain Controllers Policy. This error started after running adprep when preparing the Server 2008 domain for Server 2012 R2 DC’s.

The error was occurring on all 3 of our domain controllers. When attempting to backup the Default Domain Controllers Policy, it would error out saying the GPO could not be accessed. When editing the Default Domain Contollers Policy and browsing to Computer Configuration>Policies>Windows Settings>Security Settings I would get a template error.

Seeing how we had no backups of the GPO, and my predecessor had no documentation on any configuration changes that were done to the policy, I was hesitant to do a full reset in production. Instead, I used the above
“dcgpofix /target:dc” on my lab DC. I then opened “\\dc\sysvol\domain\Policies\{GUID}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf” on the lab DC and compared it to the production GpTmpl.inf located in the same directory. I noticed that there was no [Unicode] preceding the Unicode switch, there was only “Unicode=Yes”. After removing [Unicode] on my error-free lab DC I saw the same error which confirmed this was most likely the issue. I then felt confident to add this line to a production DC’s GptTmpl.inf, which then replicated to the other two DC’s. Shortly after editing the SceCli error ceased on all DC’s, and everything seems to be humming along without issue.

Just wanted to share my experiences as I didn’t find much regarding the “Error code= -536870656” SceCli error.

Backup GPO’s….lesson learned.