Symptoms:
When you try to backup GPO via GPMC.MSC you receive an error message that contains the description
Backup of GPO failed. Error [Invalid pointer]
When using Powershells Backup-GPO command the result is even more dubious:
Object reference not set to an instance of an object.
Cause:
Although searching for "Invalid pointer" in internet returns the proper result (first reference below) the description in this article is insufficient and the workaround is also not always optimal.
The problem is caused by user principal name (aka Pre-2000 user logon name under Account options in ADUC user properties) that coincides with well-known SIDs.
The problem with the article itself is that is not explaining where to search for the user of high renown.
Resolution:
- Typically you will start to search in the GPO settings:
First create a report for the GPO
Get-GPOReport -Name "Default Domain Policy" -ReportType XML -Path .\Desktop\DDPReport.xml
Then search for all user entries, e.g. using Notepad++ or something like the script below
Select-String -path ".\Desktop\DDPReport.xml" -Pattern "Name xmlns="http://www.microsoft.com/GroupPolicy/Types"" -SimpleMatch -Context 2,1
If the output returns some values matching the well-known SIDs in SDDL then check if they are in the SecurityDescriptor namespace or under Computer or User namespaces. The former can be redeemed through editing the security settings for the GPO itself (Edit… / Right-click on the policy name in the GP Management Editor / Select Properties / Security). The screenshot below shows a typical example of user with alias "PS" that is reserved from SDDL for the Principal self.
If the matches are under Computer or User namespaces then you will have to adjust the policy settings themselves, i.e. go under Computer Configuration or User Configuration and manually fix things.
Only in case that the user SHOULD be left where he is, you are required to change his user logon name. In case that you either don’t need this user, or you can put it in security group, this workaround should be preferred.
- Rarely it is possible that the GPO report doesn’t output anything useful:
Enable GPMC logging. This is by default off. You have to switch it to verbose mode, since the problem described here is not caught in error mode. Either copy and paste the text below to a .reg file or create the values manually
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Diagnostics]
"gpmgmttracelevel"=dword:00000002
"gpmgmtlogfileonly"=dword:00000001
Close and re-open the management console. Reproduce the problem. Open %TEMP% and look for gpmgmt.log. Mein was under %TEMP%\2.
Search for lines including [WARNING] and google around for similar symptoms.
References:
https://support.microsoft.com/en-us/kb/867462
https://technet.microsoft.com/en-us/library/cc737379(v=ws.10).aspx
Sorted! Thank you. This post didn’t fix the issue per se, but provided all the groundwork & hints to get it sorted. So I can now back up our DDC policy which I’d have been unable to do without this post.
Glad to hear that!