Active-Directory
由於 LDAP 綁定問題,GPUpdate 失敗
當我在我的工作站上執行 gpupdate 時,我收到以下錯誤。
Computer policy could not be updated successfully. The following errors were encountered: The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following: a) Name Resolution failure on the current domain controller. b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller). User Policy could not be updated successfully. The following errors were encountered: The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed). Look in the details tab for error code and description. To diagnose the failure, review the event log or run GPRESULT /H GPReport.html from the command line to access information about Group Policy results.
執行
gpresult /h
給The user does not have RSoP data
查看事件日誌,我可以看到與 gpupdate 相關的錯誤程式碼 49 Invalid Credentials。但是,當我使用 ldp.exe 測試 ldap 綁定時,憑據可以正常工作。
有沒有人見過這樣的問題?我拉著頭髮試圖弄清楚發生了什麼。
我能夠自己解決這個問題。事實證明,本地電腦帳戶記憶體了(正確)失敗的錯誤憑據。感謝@greg-askew 為我指明了正確的方向。對於偶然發現此問題並尋找解決方案的任何人:
- 從https://docs.microsoft.com/en-us/sysinternals/downloads/psexec下載 PsExec(sysinternals 的一部分)
- 從提升的命令提示符執行
PsExec.exe -i -s cmd.exe
(這將在本地電腦帳戶上下文中打開另一個命令視窗)。- 從該視窗執行
rundll32.exe keymgr.dll, KRShowKeyMgr
(這將打開一個帶有記憶體憑據列表的 gui)。- 在該 gui 中,刪除任何看起來可疑的憑據(在我的情況下,憑據以我的 PDC 命名)。
從記憶體中刪除憑據後,它立即重新開始工作。