Case of the Group Policy Copy Fail – An invalid directory pathname was passed

A colleague had an issue at a customer site where a Group Policy object could not be copied using Group Policy Management Console. In addition making a backup of the policy, and attempting to re-import the policy would also fail with the same error: An invalid directory pathname was passed

 

image

Initially I used Process Monitor (http://live.sysinternals.com/ProcMon.exe) and checked for any file path issues but didn’t find any.

So I turned to API Monitor http://www.rohitab.com/apimonitor which allows for more detailed scanning. One of my favourite uses of this utility has been the ability to monitor the Microsoft C++ Runtime Library and Windows UI components to find the exact point an application generates an error message, allowing us to step backwards through calls to usually find the exact cause.

One should note, although this utility is extremely versatile and powerful, it will not be usable in all situations, it may not work with some applications, or it may require not monitoring certain APIs to prevent the application crashing during monitoring.

In this case I monitored mmc.exe that was hosting gpmc.msc I searched the log for the error, and voilà, we had found our culprit:

We could see a Common Name (CN) was being accessed with an invalid name:

CN=Win7 / Vista Wireless 

image

Group Policy Management Console, although allowing creation of a policy with such a name, during the import process it doesn’t handle the backslash correctly, as when used in CNs it must be proceeded with a forward slash:

CN=Win7 \/ Vista Wireless

For more information refer to Active Directory Name Formats section at http://technet.microsoft.com/en-us/library/cc977992.aspx

This was fixed by opening the original group policy right clicking Win7 / Vista Wireless and selecting Rename option…

image

Once renamed without a backslash…

image

We could export/import/copy/paste the GPO once again

About chentiangemalc

specializes in end-user computing technologies. disclaimer 1) use at your own risk. test any solution in your environment. if you do not understand the impact/consequences of what you're doing please stop, and ask advice from somebody who does. 2) views are my own at the time of posting and do not necessarily represent my current view or the view of my employer and family members/relatives. 3) over the years Microsoft/Citrix/VMWare have given me a few free shirts, pens, paper notebooks/etc. despite these gifts i will try to remain unbiased.
This entry was posted in API Monitor, Group Policy, Troubleshooting and tagged , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s