Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 1000 Source: Userenv

Windows cannot access the registry information at \\\sysvol\\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\registry.pol with (<error code>).
As first step, use NET HELPMSG <error code> for a first clue as what it wrong.

Error code 5 - "Access denied" - See ME290647. Also, from a newsgroup post: "I have been plagued by the same message on my system for months. Most of the postings I saw claimed that this was due to my system being multi-homed and the order of the priority of the NICs being incorrect. In my case, the suggested remedies did not work. Today I checked and found out the the node "C:\WINNT\sysvol\sysvol" was not shared. After I shared that node to system and Administrator, the error messages stopped."

Error code 51 - "The remote computer is not available." - "The \\Active Directory Domain Name\Sysvol share is a special share that requires the distributed file system (Dfs) client to make a connection. If the Dfs client is disabled, the error messages are generated. ". See the link to ME259398.

Error code 53 - "The network path was not found." - Caused by File and Printer Sharing service not being enabled on the Domain Controller interface(s). See the link to ME279742.
Another instance of Error code 53 may be recorded if the IP address of the domain controller is changed but the DNS still points to the old IP address.
- Error code: 53 - In my case, the domain controller that was having the problem had a 3 minute difference in time between it and the other domain controllers. I set the time to match the other domain controllers, rebooted and the problem was resolved.
- Error code: 1231 - In one case, this happened when a Ghost image from a domain controller was downloaded to a test computer. The network settings were lost due to the network cards in the test computer being different to those in the image. Also, this occurs as part of the procedure to reset TCP/IP that is detailed in Microsoft’s ME837333. Correct the network configuration. If the HLM\SYSTEM\CurrentControlSet\Services\Winsock registry key is missing, then restore it from a backup or from a similar computer.
- Error code: 1231 - See ME258960.
- Error code: 53 = Path not found - See ME888824.

See ME887303 to resolve this problem for various error codes.

As per Microsoft: "This behavior occurs if the SMB signing settings for the Workstation service and for the Server service contradict each other. When you configure the domain controller in this way, the Workstation service on the domain controller cannot connect to the domain controller's Sysvol share. Therefore, you cannot start Group Policy snap-ins. Also, if SMB signing policies are set by the default domain controller security policy, the problem affects all the domain controllers on the network. Therefore, Group Policy replication in the Active Directory directory service will fail, and you will not be able to edit Group Policy to undo these settings". See ME839499 to fix this problem.

From a newsgroup post: "After reading all the KB articles everyone suggested, checking my SYSVOL file structure, etc; I happened to take a look at the NIC settings and discovered that, somehow, NetBIOS had become disabled on the LAN card. I enabled NetBIOS and everything is now working fine. No more error messages and users can access the server".

Also from a newsgroup post: "If the DFS Client is disabled, you can not access the \\<Active Directory Domain Name>\Sysvol share, which would cause this problem. To check / enable the DFS Client, use Regedt32 to navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Mup. Double-click the DisableDFS value name, a REG_DWORD data type. A data value of 0, the default, enables the DFS Client. A data value of 1 disables the DFS Client.
NOTE: If the DisableDFS value name is missing, the DFS Client is enabled".

When you use the Symantec W32.Nimda.A@mm virus removal tool on a domain controller, the share permissions for shares such as Sysvol and Netlogon may be changed from the default share permissions. See ME312031 for more details.

See the link to Citrix Support Document ID: CTX104957 if this problem appears when printing.

- Error code: 53 - I had this same problem and it appeared because the "TCP/IP NetBIOS Helper Service" and “Distributed File System” services were set to "Manual". After setting them to “Automatic”, this problem disappeared.
Error 1351: I solved this problem enabling NetBIOS over TCP/IP in the WINS tab of Advanced TCP/IP Options for the LAN card.
- Error 1351 - These errors started appearing after I had switched off NetBEUI on a Multihomed Win2k DC, leaving only TCP/IP. Changing the protocol binding order for the private adapter so that TCP/IP was the preferred protocol instead of the disabled NetBEUI stopped these errors, and allowed me to administer the WINS server again from MMC.
In my case the Kerberos Realm name (which should be the NetBIOS domain name) was incorrect in the registry (and was referencing the local computer name). To correct this issue:
1. Open REGEDT32.
2. Navigate to Security\Policies\PolAcDmN.
3. Left-click on <No Name>:REG_NONE and select "View - Display Binary Data"
4. You should see the NetBIOS name of the domain in the text on the right (ex. WAMLTD). If the machine name is listed instead, you will need to replace it.
5. Navigate to Security\Policies\PolPrDmN.
6. Double-click the <No Name>:REG_NONE and copy the binary value (CTRL-C)
7. Navigate to Security\Policies\PolAcDmN, double-click <No Name>:REG_NONE and paste in the correct value.
8. Left-click on <No Name>:REG_NONE and select "View - Display Binary Data". You should see the correct value listed.
9. Run "secedit /refreshpolicy machine_policy /enforce"
10. Look in the application log for a SCECLI 1704 event (indicating successful application of policy)
I tried most things, until I disabled the LAN connection and enabled it again and that fixed the problem for me.
Error code 51 - I had disabled file and printer sharing on a 2000 DC, reenabling that fixed the problem.
Error: 5 = "Access denied". Group Policy was not being propagated to clients and logons were slow. I found that the permissions on the domain controllers Sysvol folder and subfolders were incorrect but after 20 minutes of changing them as per Microsofts instructions, the system automatically changed them back. The sysvol permissions and some GP entries contained the security identifier for the Power Users group which doesn't exist on a DC. All efforts to remove this security identifier failed.
I deleted all Registry.pol and System.adm on the DC and edited all GPT.ini files, on the DC, so Version=1. I then rebooted the DC and changed the Sysvol permissions. Make a new Default Domain Policy and a new Default Domain Controllers Policy. Make sure that Everyone, Authenticated users and Administrators have "Bypass Traverse Cecking" enabled in the Default Domain Policy.
Error: 1351 - I removed the PC from the domain and after restart put it back in domain. This seems to solve the problem.
Error: 1351 - "Configuration information could not be read from the domain controller, either because the machine is unavailable, or access has been denied." - Bob A Schelfhout Aubertijn's method (see below) solved the error and also solved Event ID 1001 -Security Policy cannot be propagated.

ME258296 explains in detail how to prevent this error from popping up every 5 minutes in the event log. The trick is to move the NIC that has file and printer sharing bound to it to the top of the binding order in, network connections > advanced > advanced settings.
Error 1351 - MS knowledgebase had my solution in article ME258960. It referenced a Buffer limitation of 15 ip addresses in Lmhsvc.dll which is resolved in SP2.
Setting the TCP/IP NetBIOS Helper Service to manual startup caused this and related events for me, as it prevented me from accessing DFS shares. I set the service back to automatic startup to solve the problem.
I had this problem on all my member servers, it turned out to be a permissions problem with SYSVOL.
I fixed it as follows:
Start > Programs > Administrative Tools > Domain Controllers Security Policy > Security Settings > Double click "File System" > Double click "%SYSVOL%\Domain\Policies" > Edit Security> Make sure the appropriate permissions are set and tick the "Allow Inheritable Permissions ........" checkbox. Note that the permissions in "%SYSVOL%" must be set properly too.
In my case, the reason for this error was the server, it had the IRPSStackSize to low (on 11). Default for Windows 2000 is 15 (range from 11 to 50 refering ME177078). Registry key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters
A refering document from MS (ME106167) is outdated and should be corrected for Windows 2000.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to



Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.