Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 1047 Source: Userenv

Source
Level
Description
Windows cannot read the history of GPOs from the registry. Continuing Group Policy Processing.
Comments
 
As per Microsoft: "Each time Group Policy Objects (GPOs) are processed, a record of all of the GPOs applied to the user or computer is written to the registry (in a GPO list). To optimize performance, Group Policy compares this GPO list to the current list to determine if there are any GPOs that need to be applied. This event occurs when Group Policy is unable to read the registry to determine the list of GPOs that were applied last. Group Policy processing continues". See MSW2KDB for additional information about this event.
To fix this issue you will need to edit the registry using a local administrator account. Login as a local administrator and follow these steps:

1. Start the Registry editor by clicking Start -> Run, and entering: “regedit.exe”.
2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History. Delete all of the sub-keys in the History key. DO NOT delete any of the values or the key itself.
3. To edit the effected user you will need to load the users’ registry hive.

i. Navigate to HKEY_USERS.
ii. Select the File menu and click Load Hive.
iii. Navigate to the effected users profile folder in the Documents and Settings folder on the system drive.
iv. Double click NTUSER.DAT.
v. When prompted, enter a meaningful Key Name such as the user’s name and click OK.
vi. Navigate to SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History. Delete all of the sub-keys in the History key. DO NOT delete any of the values or the key itself.
vii. Highlight the users’ key name under HKEY_USERS.
viii. Select the File menu and click Unload Hive. When prompted, click Yes to unload.

4. Refresh Group Policy using “GPUPDATE /force /boot” in a DOS box.

See the Microsoft article KB319006 for further information on this issue.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.

Read more...

 

Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.

Read more...