Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net. The EventId.Net for Splunk Add-on assumes that Splunk is collecting information from Windows servers and workstation via the Splunk Universal Forwarder.
Windows cannot read the history of GPOs from the registry. Continuing Group Policy Processing.
|English: Request a translation of the event description in plain English.|
As per Microsoft: "Each time Group Policy Objects (GPOs) are processed, a record of all of the GPOs applied to the user or computer is written to the registry (in a GPO list). To optimize performance, Group Policy compares this GPO list to the current list to determine if there are any GPOs that need to be applied. This event occurs when Group Policy is unable to read the registry to determine the list of GPOs that were applied last. Group Policy processing continues". See MSW2KDB for additional information about this event.
To fix this issue you will need to edit the registry using a local administrator account. Login as a local administrator and follow these steps:
1. Start the Registry editor by clicking Start -> Run, and entering: “regedit.exe”.
2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History. Delete all of the sub-keys in the History key. DO NOT delete any of the values or the key itself.
3. To edit the effected user you will need to load the users’ registry hive.
i. Navigate to HKEY_USERS.
ii. Select the File menu and click Load Hive.
iii. Navigate to the effected users profile folder in the Documents and Settings folder on the system drive.
iv. Double click NTUSER.DAT.
v. When prompted, enter a meaningful Key Name such as the user’s name and click OK.
vi. Navigate to SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History. Delete all of the sub-keys in the History key. DO NOT delete any of the values or the key itself.
vii. Highlight the users’ key name under HKEY_USERS.
viii. Select the File menu and click Unload Hive. When prompted, click Yes to unload.
4. Refresh Group Policy using “GPUPDATE /force /boot” in a DOS box.
See the Microsoft article KB319006 for further information on this issue.
|Private comment: Subscribers only. See example of private comment|
|Links: ME319006, MSW2KDB|
|Search: Google - Bing - Microsoft - Yahoo - EventID.Net Queue (0) - More links...|
Send comments or solutions
- Notify me when updated