Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 1000 Source: Userenv

Source
Level
Description
Windows cannot determine the user or computer name. Return value (<return error code>).
Comments
 
This event occurs in various conditions, the return code providing more details about the problem.

Value 14 (Error code 14) = "Not enough storage is available to complete this operation." - As per Microsoft: "Do one of the following, then retry the operation:
1. reduce the number of running programs
2. remove unwanted files from the disk the Paging File is on and restart the system
3. check the paging file disk for an I/O error
4. install additional memory in your system."

Value 59 - "An unexpected network error occurred." - Typically, connectivity problems (cable, hub, switch, etc.. layer 2 level). See also the comments for Error code 59.

Value 1722 (Error code 1722) = "The RPC Server is unavailable" - Usually occurs when DNS servers are not configured properly. There is connectivity but not at the service level. One note here, usually it may appear that DNS is set properly but one has to double-check all the aspects of DNS registration/resolution as the problem may not be that obvious. See also ME261007 - It says that this behavior can occur if the address for the configured preferred DNS server on the client is invalid or unreachable.
From a newsgroup post: "Do the following to ensure that the SRV records for the AD servers are in DNS properly: (from the DOS prompt)

nslookup
set type=srv
set type=srv
_ldap._tcp.dc._msdcs.YOURDOMAIN.COM
Server:  dnsserver.yourdomain.com
Address:  192.168.100.2

you should see something like this:

_ldap._tcp.dc._msdcs.YOURDOMAIN.COM       SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   = server1.YOURDOMAIN.COM
_ldap._tcp.dc._msdcs.YOURDOMAIN.COM       SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   = server2.YOURDOMAIN.COM
server1.YOURDOMAIN.COM       internet address = 1.1.1.2
server2.YOURDOMAIN.COM  nternet address = 1.1.1.1

If you don't then you definately have a DNS problem.

I would also recommend running the dcdiag and netdiag utilities on
your domain controllers.  If you find that the servers aren't in DNS,
then make sure dynamic updates are enabled on your DNS server and
restart the netlogon server on each of your DCs."

Value 1753 - "There are no more endpoints available from the endpoint mapper." - See the comments for Error code 1753
- Value: 1326 (Error code 1326) - In my case, in Terminal Server Manager, there were two sessions marked as active but idle for more than 13 days. I terminated them, the error was logged once again and then it was gone.
1. Make sure DNS is listening only on the private address of the DNS server.
2. On both the clients and the server, in the TCP/IP properties on the WINS tab enable NetBIOS over TCP/IP. Do this only on the private interface of the server if it has two NICs.
3. In the Network and Dial-up connections Control Panel in the Advance menu select Advanced Settings. Make sure your private network interface is at the top of the connections list and that File and Printer Sharing and Client for Microsoft Networks are enabled and bound to TCP/IP and that TCP/IP are at the top of the binding order if you have multiple protocols installed.
- Error code: 1722 (Error code 1722) = "The RPC Server is unavailable" - In one case on Windows 2000 Server SP4 this Event ID appeared when the computer had been out of commission for a while. Other symptoms were that new Global Domain Users could not be added to a Local Group in Computer Management -> Local Users and Groups -> Groups. This was resolved by configuring the network adapters to point to the correct DNS servers on the network. They were pointing to the DNS servers of another domain running on the same network.
Value 1326 (Error code 1326) = "Logon failure: unknown user name or bad password" - Reinstalling the Terminal Service solved my problem.


I went through all of the articles listed here trying to resolve this issue. In the end, I found that the Default Domain Controller Policy and the Default Domain Policy were corrupt. I ran "dcgpofix /target:both" on the domain controller and the issue was resolved. I found this by chance after finally giving up, wiping the server and having the issue appear after I rejoined the domain.
A virus could cause this problem as well. If you have a virus on your server that is sending out hundreds of requests over the network, it could fill up the Window's network cards buffers and cause random problems that cannot be diagnosed successfully. Perform a snort on the network and check to see if there are any obvious problems. If you see a lot of random traffic or SMTP traffic coming from 1 computer, then this might be the cause of the problem.
- Error code: 1355 (Error code 1355) - From a newsgroup post: "I had the wrong IP address recorded for the PDC, so there was no route between the workstation and the PDC. Fixed the address on the PDC, it took about 45 seconds, and both stations can communicate with each other".
- Error code: 1722 (Error code 1722) - See WITP73745 for information on this problem.
We have resolved this problem by enabling traffic from our clients to our DCs on port 135 (RPC all interfaces). We have a firewall between all our networks and this port is required for correct GPO processing. See ME158508 and the link to “Port 135” for additional information on this issue.
From a newsgroup post: "This happens if a user right in a policy is being applied to a user or group that no longer exists. The policy is refreshed every 5 minutes on a DC and when it looks for the account, it generates this error. You can enable group policy process logging to find out which account or group is doing this. A registry value creates a log file during policy propagation. The log file is located in "systemroot\Security\Logs\Winlogon.log". You can examine this log file to identify specific errors that occur during policy propagation to the computer. The registry key is:
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}"
For the new registry value, type: "ExtensionDebugLevel"
For the registry data type, put: "REG_DWORD"
For the registry data, type: 2.
After changing this value, go to a command prompt and type "secedit /refreshpolicy machine_policy /enforce" Check the "winlogon.log" file for errors to determine the account that is causing the problem".

- Error code: 1722 (Error code 1722) - See ME278229.
- Error code: 1326 (Error code 1326) - See ME257623 and ME328691.
- Error code: 1753 (Error code 1753) - See ME839880.
- Error code: 1908 (Error code 1908) - See ME810402.
- Value: 1317 (Error code 1317) - The fix for us was to make sure the "Domain Computers" Group has "Read" rights on the "Computers" Container in Active Directory Users and Computers. After this was done, there were no more issues with this event.
- Value: 1317 (Error code 1317) - In our case, an apparently corrupt OU caused the servers in it to create the event ID 1000 (Userenv) with message: "Windows cannot determine the user or computer name. Return value (1317)", on Windows 2000 servers, and event ID 1053 (Userenv) with message "Windows cannot determine the user or computer name. (The specified user does not exist). Group Policy processing aborted", on Windows 2003 servers. In each case, the event appeared every 60 to 120 minutes (the machine’s policy update interval). Moving the servers back to “Computers” stopped the event. The OU looked and behaved normal otherwise. Deleting and creating the OU again (even with the same name) solved the problem.
Value 1317 (Error code 1317) = "The specified user does not exist" - This error occurred when a user account that had been disabled was still logged in to a disconnected terminal services session.
In an attempt to fix the problem related to Event ID 1000 (userenv) with return code 14 I came across article ME327825 which ultimately ended up fixing my problem. The "Not Enough Storage..." is related to the default token size and number of groups that your account belongs to. The article contains the formula for figuring out if your account exceeds this token size. The fix is a registry hack described in article ME263693 to increase the token size. I found that you need to have service pack 3 installed for this to work however.


Value 1722 (Error code 1722) = "The RPC Server is unavailable". - We are using DHCP for client configuration. By using NSLOOOKUP and IPCONFIG /ALL the client displayed a wrong DNS Server. I checked the TCP/IP configration and there was a local setting to a wrong DNS Server. Local settings will overwrite settings from the DHCP Server. By deleting the local DNS setting and switching to autoconfig the problem was fixed.
Value 1723 (Error code 1723) = "The RPC server is too busy to complete this operation" - Set PagedPoolSize to 0 at: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ Session Manager\Memory Management. Restart your computer.
Value 1722 (Error code 1722) = "The RPC Server is unavailable" - Remove the machine from the domain and then rejoin.  See ME329708.

Make sure you set the authoritative time server correctly. If a machine that you have set as the authoritative time server isn't available, then time synchronization between DCs stops. Once the time difference between DCs becomes greater than what Kerberos allows, authentication between DCs fails, causing replication to fail along with it. Troubleshooting such failures can be difficult because W32Time doesn’t generate any error messages in the system log when specific hosts become unavailable. Instead, look for an error message such as "the RPC server is unavailable." If you see this message and you haven’t configured time synchronization with an outside time source, the likely cause is your DNS configuration.
Value (-2146893022). It happens when you log into a child domain controller with your parent domain account.
See ME221833 on how to Enable User Environment Debug Logging in Retail Builds of Windows.
In my case - Windows 2000 Pro Workstation - the user complained that all Internet access and Internet email through MS Exchange was lost and IE 5.5 reported a DNS Error. The workstation's TCP/IP settings were correctly obtained via DHCP. Release/renew and manually setting DNS did not help. I removed the TCP/IP stack, reboot, login locally, reinstall TCP/IP stack, reboot, login to the network - problem gone.
Value 1326 (Error code 1326) = "Logon failure: unknown user name or bad password." - I had this error filling up my event viewers on two servers for days. I had scheduled backups under my user name and password. After I changed my password I started getting the errors. I fixed it by rescheduling the jobs under my user name and  new password; problem resolved.

This error may occur when an user account is left logged onto a PC, and is disabled by an administrator in the background. Once the Disabled ID is logged off, the error goes away.

I had this problem on a Windows 2000 DC. It turned out it wass caused by ZoneAlarm firewall.
Value: 59 (Error code 59) = "An unexpected network error occurred" - This may happen if you have a firewall between your domain controller (or installed on the DC itself) and a workstation that is trying to connect to it. I noticed this while using Norton Internet Security 2002 on a domain controller and after that the network became very slow and the eventviewer filled with these events.
Value 1747 (Error code 1747) = "The authentication service is unknown" - Occurs when the server is set up as a domain controller but not synchronizing with the Main DC.


Value 1908 (Error code 1908) = "Could not find the domain controller for this domain" - Usually occurs when the Kerberos Key Distribution Service is disabled. See ME316710 for additional information.
Value 1326 (Error code 1326) = ""Logon failure: unknown user name or bad password." - This will occur if a Terminal Session is disconnected and not logged off and susequently the users logon password is changed. You will still have access to the "stale" session with the new password. This commonly happens with Administrators, who leave the session open by disconnecting so as to leave a program running. Since an Administrator can log back onto the session with the new password it can be overlooked. Terminate the Terminal Services session by logging out and the problem will disappear.
Value 1722 (Error code 1722) = "The RPC Server is unavailable" - In addition to checking the DNS configuration, make sure that if you have multiple adapaters, that the LAN adapater for your local segment that resolves your LAN host names is listed first in the adapter binding order in the Advanced settings of Network and Dial-up Connections. Otherwise, the DNS resolver will use the DNS servers for the adapter listed first which may not resolve your LAN host names correctly. This will also cause problems with Active Directory replication.
Value 1398 (Error code 1398) = "There is a time difference between the client and the server" - Use the following command to sync the time "net time \\<domain controller> /set /y".
Value 14 (Error code 14) = "Not enough storage is available to complete this operation." - If activated, policy debugging in winnt\debug shows "MyGetUserName failed with 14". This can be caused by too many group memberships assigned to the user. See ME263693: Group Policy May Not Be Applied to Users Belonging to Many Groups. Without the registry change described in the KB, the maximum number is about 75.
Value: 1722 (Error code 1722) = "The RPC Server is unavailable" - The server was not able to update the GPO. When I was pinging from that server with FQDN I would get the "Unknown Host" error message but I was able to ping with just the host name. ipconfig /flushdns and /registerdns solved my problem.
Value: -2146893006. This indicates that the user is locked out of account.
Value 5 (Error code 5) = "Access is denied" - See ME262958 (occurs because the computer to which the user is logging on does not have the "Access this Computer from the Network" permission at the validating domain controller). Also check ME305837.
Value 1317 (Error code 1317) = "The specified user does not exist" - This error may occur if you run DCPROMO on a Windows 2000 server but the NTFS permissions are not set to Full control for local Administrators group.


Value 1359 (Error code 1359) = "An internal error occurred" - In Windows 2000 using the same name for a user and a machine is a no-no I've been told. After we upgraded some workstations from NT using the same value for user name and computer name, this message would be generated. I noticed Windows 2000 added a "1" at the end of the machine name. The log on the workstation no longer generated the message. Solution: Do not use the same name for a machine name and user name.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.

Read more...

 

Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.

Read more...