Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 1000 Source: Userenv

Source
Level
Description
The Group Policy client-side extension <extension name> was passed flags (<number flags>) and returned a failure status code of (<status code>).
Comments
 
- Extension: Application Management, flags 1, status code: 1612 - See ME323304.
- Extension: Application Management, flags 0, status code: -2147221143 - See ME315809.
- Extension: Security, flags 17, status code: 1332 - See WITP73381.
- Extension: Security, flags 17, status code: 1208 - See ME296854, WITP74879, WITP75179 and WITP73755.
- Extension: Security, flags 17, status code: 3 - See ME258960 and WITP74445.
- Extension: Folder Redirection, flags 0, status code: 1338 - See WITP82924.
- Extension: Folder Redirection, flags 0, status code: 203 - From a newsgroup post: "Try renaming the .man extension on the ntuser.man to ntuser.dat, have the user logon and open the Redirected Folder. Then, have the user log off and rename the ntuser.dat back to ntuser.man. Finally, have the user log back on and check the Application event logs to see if the folder redirection errors are gone".
- Extension: Application Management, flags 1, status code: 1612 - See ME323304.
- Extension: Application Management, flags 0, status code: -2147221143 - See ME315809.
- Extension: Security, flags 17, status code: 1332 - See WITP73381.
- Extension: Security, flags 17, status code: 1208 - See ME296854, WITP74879, WITP75179 and WITP73755.
- Extension: Security, flags 17, status code: 3 - See ME258960 and WITP74445.
- Extension: Folder Redirection, flags 0, status code: 1338 - See WITP82924.
- Extension: Folder Redirection, flags 0, status code: 203 - From a newsgroup post: "Try renaming the .man extension on the ntuser.man to ntuser.dat, have the user logon and open the Redirected Folder. Then, have the user log off and rename the ntuser.dat back to ntuser.man. Finally, have the user log back on and check the Application event logs to see if the folder redirection errors are gone".
- Status code: 1235 - In our case, this problem was caused by incorrectly configured Folder Redirection through Group Policy. In one case, %USERNAME% was missing from the end of the path field on the My Documents -> Properties -> Target tab. Correct Folder Redirection configuration and the problem should go away.

- Extension: Folder Redirection, flags 0, status code: 203 - In one case, on Windows 2000 Professional SP4 this event was preceded by EventID 111 from source Folder Redirection. Another symptom was that when changes were made (when logged on with this same account) within Microsoft Office 2000 to the configuration settings, these changes were lost when Office was closed and re-opened. To resolve this, the roaming profile and its local copy were deleted. A new roaming profile was created on the server by copying a similar known good profile via "My Computer" properties. When the account was logged on the client computer, this Event ID did not re-appear and the profile then worked normally.
- Extension: Microsoft Disk Quota, Flags 1, Status code: -2147024894 - Remove {3610eda5-77ef-11d2-8dc5-00c04fa31a66} from the "C:\WINNT\system32\GroupPolicy\gpt.ini" file.
- Extension: Application Management, flags 1, status code: 1612 - See ME323304.
- Extension: Application Management, flags 0, status code: -2147221143 - See ME315809.
- Extension: Security, flags 17, status code: 1332 - See WITP73381.
- Extension: Security, flags 17, status code: 1208 - See ME296854, WITP74879, WITP75179 and WITP73755.
- Extension: Security, flags 17, status code: 3 - See ME258960 and WITP74445.
- Extension: Folder Redirection, flags 0, status code: 1338 - See WITP82924.
- Extension: Folder Redirection, flags 0, status code: 203 - From a newsgroup post: "Try renaming the .man extension on the ntuser.man to ntuser.dat, have the user logon and open the Redirected Folder. Then, have the user log off and rename the ntuser.dat back to ntuser.man. Finally, have the user log back on and check the Application event logs to see if the folder redirection errors are gone".


- Status Code 1307 - See ME291087.

- Extension: Security, flags 1, status code: 1208 = "An extended error has occurred." - See ME827012.
- Extension: Security, flags 17, status code: 1208 - See ME835744 and ME835901.
- Extension: Security, flags 17, status code: 1332 - See ME329816 and ME839115.
- Extension: Security, flags 17, status code: 3 - See ME888824.
- Extension: EFS recovery, flags 17, status code: 1804 - See ME830062.
- Extension: Folder Redirection, flags 0, status code: 1338 - See ME888205.
- Extension: Security, flags 17, status code: 5 - See ME319352.
- Extension: Security, flags 145, status code: 5 - See ME310741.

- Extension: Microsoft Disk Quota, Flags 1, Status code: -2147024894 - From a newsgroup post: "The event is being caused by a bug that incorrectly reported a problem with Disk Quotas. The event can be eliminated from occurring by setting the "Enable Disk Quotas" policy to "Disabled." To eliminate the error completely remove the Group policy extension for Disk Quotas from the "gPcMachineExtansionNames" attribute for the Default Domain Controllers policy".

From a newsgroup post: "Here some tips to debug this type of problems:
1. Enable diagnostic logging to the event log.
Enabling diagnostic logging for Group Policy causes Group Policy to generate detailed events in the event log. These detailed events can help assist in diagnosing problems associated with Group Policy processing by backtracking the events and providing additional information about them.
To enable diagnostic logging, log on as the local administrator. Click Start -> Run, type regedit, and then click OK. Open the HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion key. On the Edit menu, point to New, click Key, type Diagnostics, and then press Enter. With the Diagnostics key selected, on the Edit menu, point to New, click DWORD Value, type RunDiagnosticLoggingGlobal and then press Enter. Double-click RunDiagnosticLoggingGlobal, type 1 and then click OK. Events generated by Group Policy are recorded in the Application log.
Note: Enabling diagnostic logging for Group Policy generates a large number of events during computer startup and when a user logs on. You should increase the size of the Application log prior to enabling diagnostic logging so that the Application log does not fill up. Also, enable diagnostic logging only when troubleshooting Group Policy and disable it when you are finished.
2. Enable verbose logging.
Verbose logging tracks all changes and settings applied to the local computer and to users who log on to the computer by Group Policy. The log file is located in the %systemroot%\Debug\UserMode folder and is named Userenv.log. Enabling verbose logging involves adding the registry key for verbose logging.
To enable verbose logging, add a DWORD value named UserEnvDebugLevel with a value of 30002 to the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon key in the registry.
Note: A value of 30002 enables verbose logging, 30001 enables logging of errors and warnings only, and 30000 logs nothing.
To disable verbose logging, delete the UserenvDebugLevel value from the registry.
3. Windows 2000 Resource Kit Tools for Group Policy Troubleshooting.
You can resolve Group Policy issues by using the following tools that are included in the Windows 2000 Resource Kit:
- Gpotool.exe. This command-line tool allows you to check the health of the Group Policy objects on domain controllers.
- Gpresult.exe. This command-line tool displays information about the result Group Policy has had on the current computer and logged-on user.
Note: For details and usage of these tools, refer to the Windows 2000 Resource Kit".

See ME312164 to find out how to interpret Userenv 1000 events.
Try running the following in a command window for more details: "net helpmsg <status code>".
- Extension: Security, Flags 17, Status Code 5 - It turns out that the System account was missing from the root permissions of the system drive. I added it and gave it full control, which fixed the problem.
- Extension: "Application Management", flags: 9x90007 - This information box only appears when extensive group policy is configured. In my case, this information message occurred when trying to deploy a software package via a machine GPO. See ME246509, ME223300, and ME221833 for more details.
Extension: Security, flags: 17, status code: 3 - As per MS article ME259398, this can occur if the DFS client is disabled. Some websites have purported performance enhancements by disabling DFS, but it will result in group policies not being applied properly, hence this error.
To specifically fix this, edit HKLM\SYSTEM\CCS\Service\MUP
Create a REG_DWORD value:
DisableDFS=00000000
Extension: Security, flags: 17, status code: 1208 - Occured when a user was remained logged on to a computer, after that computer was removed from the "Log On To" list, in user properties, in Active Directory Domains and Trusts. Logging the user off stopped the error.
Extension: Security, Flags 17, Status Code 3. Group Policy was not being propagated to clients and logons were slow. I found that the permissions on the domain controllers Sysvol folder and subfolders were incorrect but after 20 minutes of changing them as per Microsofts instructions, the system automatically changed them back. The sysvol permissions and some GP entries contained the security identifier for the Power Users group which doesn''t exist on a DC. All efforts to remove this security identifier failed.
I deleted all Registry.pol and System.adm on the DC and edited all GPT.ini files, on the DC, so Version=1. I then rebooted the DC and changed the Sysvol permissions. Make a new Default Domain Policy and a new Default Domain Controllers Policy. Make sure that Everyone, Authenticated users and Administrators have "Bypass Traverse Cecking" enabled in the Default Domain Policy.
Extension: Folder Redirection, Flags: 0 Failure status code: 4350 = "The remote storage service was not able to recall the file.". I use folder redirection for the My Documents folder for one of my clients, when I changed the folder name/location and changed the policy I received the above event. It was preceded by event id 106 source Folder Redirection. The only fix I had for it was to delete the local user profile, and on some I had to get rid of folder syncronization for the folder to be redirected.
Had this error for awhile. Finally figured out my permissions within SYSVOL (the share)\Policies were hosed and users could not access the policy. I reset these NTFS Security permissions so that Everyone could at least READ, and lo and behold it worked. However, you should not have to mess with permissions in these folders unless you are having THIS SPECIFIC PROBLEM.


Extension: Security, Flags 17, Status code 1332 = "No mapping between account names and security IDs was done." - I had recently installed, and then uninstalled IIS on the 2000 server. The IUSR_xxx usr accounts were still listed under the Default Domain Policy. I loaded MMC, added the Group Policy object and then loaded the Default Domain Controller Policy. There, I removed all reference to any IUSR_xxx users under Local Policy and restarted the NetLogon service. It fixed my issue.
Extension: Scripts, Flags: 16, Status code 2 = "The system cannot find the file specified." Happens every time a client refreshes policy. Caused by the scripts.ini file missing/malfunctioning in the folder: sysvol\domainname\policies\{policy_id}\USER\scripts. Put in a blank scripts.ini or rebuild from backup.
Extension: Application Management, Flags 1, Status code: 1612 = "The installation source for this product is not available. Verify that the source exists and that you can access it." - See ME278472.
Extension: Scripts, Flags: 16, Status code 2 = "The system cannot find the file specified" Happens every time a client refreshes policy. Caused by the scripts.ini file missing/malfunctioning in the folder: sysvol\domainname\policies\{policy_id}\USER\scripts. Put in a blank scripts.ini or rebuild from backup.
My issue was event 1000 & 1202 Flags (17) and status (1208), every hour and a half. It became apparent when we re-ip-ed the network and I noticed on all machines I was getting the error. Also we noticed that the network connection icons in My Network Places was missing. Turns out all I had to do was reregister netshell.dll, netcfgx.dll, and netman.dll. That cleared up the errors and gave me my icons back.
ME258296 explains in detail how to prevent this error from popping up every 5 minutes in the event log. The trick is to move the NIC that has file and printer sharing bound to it to the top of the binding order in, network commections > advanced > advanced settings.
Error Code = 17, Status Flags = 5. This was coming up every 90 minutes, along with SceClient Event 1202 on newly added Win2k clients in a native-mode Win2k Domain (DC was upgraded from NT4.0).  Group policy was not being applied to the machines. After auditing group policy processing, I added the group "Pre-Windows 2000 Compatible Access" to the local SAM on each new client. Following this addition, running secedit /refreshpolicy user_policy /enfore (or machine_policy) revealed that the error was gone and group policy was now beings successfully applied to the client.
Extension: Security, Flags 1, Status Code 3 - I followed the instructions in ME290647 to fix the permissions on the Sysvol folder on the Domain Controller. My problem was in the sharing permissions on the Sysvol folder. I had to add Full Control to Authenticated Users and Read permissions to Everyone.
Status code 1208 - "An extended error has occurred." may point to a corrupt group policy-database. Use esentutl /g to check in \winnt\security\database.


Extension: Folder Redirection, Flags 0, Status code 1307 = "This security ID may not be assigned as the owner of this object." - See the link for status code 1307 - and the question about that. The tips presented should work, however if one has problem with the "my pictures" and have "follow my documents" as a policy then there seems to be a problem and one needs to redirect "my pictures" as well as "my documents".

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.

Read more...

 

Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.

Read more...