Group policy failing on PC even after leaving & rejoining domain

Last Updated: June 9th, 2025/Published On: April 11th, 2025/By /Views: 90/

AKA Fixing group policy and RSOP failures with cached credential cleanup

Recently, I was asked to troubleshoot a stubborn issue on a single domain-joined Windows workstation. The computer was unable to update Group Policy, and RSOP (Resultant Set of Policy) generation failed for every user account that signed in.

What made it more puzzling was that other computers on the domain worked fine. Only this machine had the issue—no policies were applying, and RSOP returned blank or error-filled results.

What I Tried First

Here’s a summary of the standard steps I tried, none of which resolved the problem:

  • Ran gpupdate /force — which failed with errors
  • Checked results using rsop.msc and gpresult /h report.html
  • Removed the computer from the domain, rebooted, and rejoined
  • Checked and modified registry keys related to Group Policy and profiles
  • Verified time sync, DNS settings, and trust relationship with the domain

Still no luck. No user accounts could get policies, and RSOP consistently failed.

The Actual Fix: Delete Cached Credentials

After exhausting typical tools (and even trying AI helpers like ChatGPT and Gemini), I found an old forum post that led me to the real cause: stale or corrupted cached credentials under the Local System account.

Here’s the step-by-step fix that finally resolved it:

1. Download PsExec

PsExec is part of Microsoft’s Sysinternals Suite. You can download it here:
https://docs.microsoft.com/en-us/sysinternals/downloads/psexec

2. Open a System-Level Command Prompt

Open an elevated Command Prompt (Run as Administrator), then run:

PsExec.exe -i -s cmd.exe

This will open a new Command Prompt window running as the Local System account.

3. Launch the Stored Credentials Manager

In the new system-level command prompt, run the following:

rundll32.exe keymgr.dll, KRShowKeyMgr

This opens a GUI window titled “Stored User Names and Passwords.”

4. Remove Domain Controller Credentials

In that GUI, locate and delete any credentials that reference your domain controller or domain resources.

5. Reboot

After removing those cached credentials, reboot the workstation.

Results

After the reboot, gpupdate /force completed successfully. RSOP reports started working again. Group Policy applied for all user accounts without issue.

Conclusion

This issue stemmed from hidden, outdated credentials stored under the Local System account—something most admins rarely check. Even removing and rejoining the domain didn’t flush them.

While AI tools couldn’t find the answer this time, a bit of old-fashioned forum hunting paid off. I’m sharing this in case someone else runs into a similar head-scratcher. Hopefully, it saves you hours of troubleshooting!

Let me know if you’d like a version with screenshots, blockquotes, or shortcodes added for styling.

Categories: BlogTags:

Table of Contents