How To Fix The "Security Policy Cannot Be Propagated" Event 1001 SceCli

IT Support Forum Forums Active Directory Group Policy Troubleshooting How To Fix The "Security Policy Cannot Be Propagated" Event 1001 SceCli

Tagged: 

This topic contains 2 replies, has 2 voices, and was last updated by  Webmaster 5 months, 2 weeks ago.

  • Author
    Posts
  • #1746

    Webmaster
    Keymaster

    Here’s how to fix the “Security policy cannot be propagated. Cannot access the template” event, with Event Source SceCli and Event ID 1001, as listed below:

    Log Name: Application
    Source: SceCli
    Event ID: 1001

    Description:
    Security policy cannot be propagated. Cannot access the template. Error code = -536870656.
    \\DomainName\sysvol\DomainName\Policies\{GUID}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.

    This event is basically saying that the group policy with the GUID listed in the path, cannot be replicated (propagated) to another domain controller.

    This is typically eiher because the GPO is corrupted, has incorrect permissions or (in the case of the issue happening with multiple GPOs) there are network issues.

    To fix this, check that there are no network issues, check that the disk isn’t corrupted then work out which GPO the GUID in the error relates to and run dcgpofix /target xxx, where xxx is the target GPO that’s not propagating (the value of xxx can only be either domain or DC or both).

  • #1883

    ajdsi
    Participant

    I had this issue with the same error code on our Default Domain Controllers Policy. This error started after running adprep when preparing the Server 2008 domain for Server 2012 R2 DC’s.

    The error was occurring on all 3 of our domain controllers. When attempting to backup the Default Domain Controllers Policy, it would error out saying the GPO could not be accessed. When editing the Default Domain Contollers Policy and browsing to Computer Configuration>Policies>Windows Settings>Security Settings I would get a template error.

    Seeing how we had no backups of the GPO, and my predecessor had no documentation on any configuration changes that were done to the policy, I was hesitant to do a full reset in production. Instead, I used the above
    “dcgpofix /target:dc” on my lab DC. I then opened “\\dc\sysvol\domain\Policies\{GUID}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf” on the lab DC and compared it to the production GpTmpl.inf located in the same directory. I noticed that there was no [Unicode] preceding the Unicode switch, there was only “Unicode=Yes”. After removing [Unicode] on my error-free lab DC I saw the same error which confirmed this was most likely the issue. I then felt confident to add this line to a production DC’s GptTmpl.inf, which then replicated to the other two DC’s. Shortly after editing the SceCli error ceased on all DC’s, and everything seems to be humming along without issue.

    Just wanted to share my experiences as I didn’t find much regarding the “Error code= -536870656” SceCli error.

    Backup GPO’s….lesson learned.

  • #1884

    Webmaster
    Keymaster

    Thanks for sharing, ajdsi. I think your method would be much better for someone working in an ITIL environment who needs to replicate the failure to propagate security policy on a test environment before being allowed to make production changes.

    As people usually have more than one DC, I suppose another method could be to isolate a DC and test that.

You must be logged in to reply to this topic.