Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 1053 Source: Userenv

Source
Level
Description
Windows cannot determine the user or computer name. (<error description>). Group Policy processing aborted.
Comments
 
See the links to "Troubleshooting network problems" and "ADS Known Issues" for information on fixing this problem.

- Error: "Not enough storage is available to complete this operation" - See ME937535 and ME955410.
- Error: "No mapping between account names and security IDs was done" (Error code 1332) - See WITP81903.
- Error: "The specified domain either does not exist or could not be contacted" - From a newsgroup post: "I have spanningtree running on my network. When the Intel Pro Nic in my server came up, it did not wait for spanningtree to put the port in forwarding mode, causing errors related to the temporary disconnect. When I put the server's switch port into portfast mode on my Cisco 6500 series switch, the issue was resolved". In another post: "Apparently, the user of this machine configured his TCP/IP settings with static addresses and did not include the proper IP address of the domain controller for his DNS server".
In my case i have an old 2 DCs network. I started to get event id 1053 in the terminal servers logs. On the DC everything looked fine, even Exchange Web Access worked well. After some digging and searching I checked local services on the DC and found that the "Netlogon" services was paused - not stopped. I resumed it and suddenly netdiag and dcdiag completed successfully again.

Beside that I reconfigured our login script (changed the users home directory and our folder redirection group policies from dns-unc-shares to ip-unc-shares as a temporary workaround).
- Error: "The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you" - I was receiving this error on a system in our environment. Full text error is as follows:

"Windows cannot determine the user or computer name. (The system detected a possible attempt to compromise security.  Please ensure that you can contact the server that authenticated you. ). Group Policy processing aborted. "

We had joined two domains a few months ago. The old domain was still active and accounts from that domain were listed in local groups to a computer in the new domain. The following articles addresses this issue: ME938457, ME942564 and ME823659.

Using gpupdate (ME823659), I was able to reproduce the error. Removing the accounts referencing the old domain and running gpupdate, the error was gone. The solution ultimately came from all three articles.
A simple reboot fixes the problem in my case, at least temporarily.
I had the ''Access Denied'' error on 2 remote Server 2003 member servers when attempting to login with Domain Admin credentials. ME244474 resolved the issue for us.


In my case I found out that the "Client for Microsoft Netwoks" (in the property of the local Area Network) had disappeared for some reason. I reinstalled it and all was OK (I had 1054 from Userenv and 40961 from LsaSrv error messages, too).
I've got almost the same situation as described by contributor Rich Ailes. In my case, the user who had changed his password was still logged in. Logging him off solved the problem.
In our case, this was related to the server in question having an AMD processor. Ping reponses were in negative time (-1ms). We resolved it by adding the /usepmtimer switch in boot.ini as per ME895980.
I had this error crop up with a companion error in the system log: The Security System detected an authentication error for the server cifs/FQDNservername. The failure code from authentication protocol Kerberos was "The referenced account is currently disabled and may not be logged on to.(0xc0000072)".

Turned out to be a user on a Terminal Server who'd been let go by the company, whose account had been deactivated. Their session was still running. Once I logged off the user using TS Manager, all was well.
In my case this event was a result of the server pointing to an incorrect DNS server.
This happened on two different Win XP Pro SP3 computers. After trying other solutions, I was able to resolve the issue by removing the ''Client For Microsoft Networks'', rebooting, then adding the client back in, and rebooting again.
See the links to "Troubleshooting network problems" and "ADS Known Issues" for information on fixing this problem.

- Error: "Not enough storage is available to complete this operation" - See ME937535 and ME955410.
- Error: "No mapping between account names and security IDs was done" (Error code 1332) - See WITP81903.
- Error: "The specified domain either does not exist or could not be contacted" - From a newsgroup post: "I have spanningtree running on my network. When the Intel Pro Nic in my server came up, it did not wait for spanningtree to put the port in forwarding mode, causing errors related to the temporary disconnect. When I put the server's switch port into portfast mode on my Cisco 6500 series switch, the issue was resolved". In another post: "Apparently, the user of this machine configured his TCP/IP settings with static addresses and did not include the proper IP address of the domain controller for his DNS server".
In my case it was the "Receive Side Window Scaling" issue that crops up with Windows Server 2003 SP2 & Broadcom NICs. I turned off  "Receive Side Window Scaling" in the Broadcom settings to restore full functionality. See ME948496 from Microsoft for more details on this issue.
In our case, the Firewall blocked the communication from our Terminal Server to the domain controller on port TCP 1026. After allowing it, the problem was gone.


One of our workstations would not log onto the domain and was showing this event ID. Removing it from the domain, joining it to a workgroup for half an hour (our servers replicate every 20 minutes), deleting it's AD machine account, then finally re-adding it to the domain resolved this issue.
I found this problem in a network which lost performance every time this event occurred. I found that rebooting leaves the network fine for a while. Finally, I found a computer that joined to the domain with a "_" character in the name. Renaming it solved the problem and the event no longer occurred.
- Error: "The specified domain either does not exist or could not be contacted" - In my case, switching the network interface duplex mode from "auto sensing" to "100 MBit / full duplex" solved the problem.
- Error: "An internal error occurred" (Error code 1359) - In my case, the Workstation was running all the time and the user had time restriction on his account. He was not allowed to logon the hour before midnight and only in this period the error showed up.
This error was showing up on our Windows XP clients; users were not able to authenticate in the 2003 AD domain. The DC event viewer did not show any relevant information. The cause was traced to an Anti-Virus/Firewall program (AVG 7.5 Server) running on the DC. The AVG was updated and inadvertently reset to the default Firewall settings, blocking authentication traffic on our internal network. We opened the firewall to allow client authentication and the problem was solved.
In my case, increasing the Kerberos Token size worked on my W2K3 standard server. See ME277741 for details on how to do that.
- Error: "Access is denied" (Error code 5) - If you have multiple DCs, check your AD replication. I have had this issue when AD did not replicate because a password was changed on one server and the other DC answered the logon request and denied the account access.
In my case, this event was being generated along with EventID 1110 from source Userenv. The PC was not logging to the domain and I was not able to re-join the PC to the domain because the "Network ID" button under the "System Properties" computer name tab was grayed out. In addition, the following services failed to start "Computer browser service", "Net logon Service", "Workstation Service", and "Messenger Service".
The PC had internet connectivity but was not able to authenticate with the domain and therefore was not able to access network resources. I was able to fix this issue when I realized that my "wkssvc.dll" file, which normally resides in "C:\WINDOWS\system32" got mysteriously deleted. Once I replaced the missing "wkssvc.dll" file by copying it from another XP (Professional) machine and rebooted all went back to normal.
- Error: "A socket operation was attempted to an unreachable host" - In one case, this Event ID appeared at boot up on a computer running on Windows 2003 SP1. It was a domain controller that that had been restored from an image for testing purposes. The network configuration was correct but it was being used stand-alone and was not connected to a network. This Event ID stopped appearing at boot up when the computer was cabled to a switch.
- Error: "The network location cannot be reached" - In one case, this Event ID appeared at boot up on a computer running on Windows 2003 SP1. It was a domain controller that that had been restored from an image for testing purposes. The network configuration had been cleared when TCP/IP was reinstalled. See ME325356. It was being used stand-alone and was not connected to a network. This Event ID stopped appearing at boot up when the network configuration was entered and the computer was cabled to a switch.


In my case, a WinXP workstation logged events 40960 and 40961 from source LsaSrv as well as event 1053 from source UserEnv. The problem was corrected by updating the Intel Gigabit NIC driver on the server.
We received this event along with event 40960, 40961, and 1219 in the application log. The server lost connection to the DC and all accounts in the admin group showed just as their SIDs. We found that restarting the Site Server Content Deployment (CRS) service fixed the problem.
- Error: "Not enough storage is available to complete this operation" - In my case, this error was caused by Backup Exec 10 agent memory leaks. This led to general unstable system behavior. See WITP76098 for information on how to troubleshoot kernel-mode memory leaks.
If you are running a dual-port NIC, make sure your drivers are correct. The Intel PRO 1000 MT series must be teamed in order to work properly with Server 2K3. Make sure you get the latest driver set and install it manually. You will know when you have the right set when you get the advanced tab on the connection properties page. There will be an option that allows you to team the ports. Use it! AD will not work otherwise.
In my case, this was happening for roaming notebook users when they were not connected to the domain in the office.
When logging onto a 2k3 terminal server, we would get the "The RPC server is unavailable" message. I restarted the netlogon service and this solved my problem.
We were getting Event Id 1053 in the Application event log "Windows cannot determine the computer or user name. (Access is denied.). Group Policy processing aborted.". We discovered that the error started to happen after a reboot of a Windows Server 2003 DC. The DC had Event Id 529 logged after it's reboot. The information in the 529 event contained the reason "Unknown user name or bad password", a logon type of 3, and the logon process and authentication process set to Kerberos.
We had the following group policy enabled in the Security settings "Audit: Shut down system immediately if unable to log security alerts". The GPO settings for the security event log were set to "Do not overwrite events (clear log manually)". When the DC was rebooted, Windows Server 2003 was setting the Crash On Audit Fail registry key (HKLM\System\CurrentControlSet\Control\Lsa\crashonauditfail) to 2.
Note that no Crash On Audit Fail blue screen appeared and the security event log was not full so there was no related message shown. We therefore had no indication that the crash on audit fail registry key had been set to 2. With this registry key set to 2 only administrators can log on to the DC. Setting the value of this key to 0, changing the GPO's to disable "Audit: Shut down system immediately if unable to log security alerts", and changing the retention method of the security event log to "Overwrite events as needed" solved the problem.
I had this problem on a Windows 2003 Terminal Server that was a domain member. The Local Admin account had been disabled. After I enabled the account, the problem disappeared instantly.
- Error: "Access is denied" (Error code 5) - See ME262958.
- Error: "There are no more endpoints available from the endpoint mapper" (Error code 1753) - See ME839880.
- Error: "The remote procedure call failed" (Error code 1726) - From a newsgroup post: "The problem was cause by a wrong configured Exchange RPC rule, which also worked on the internal interface. After reconfiguring this rule to work only on the external interface the problem was solved".
- Error: "No mapping between account names and security IDs was done" (Error code 1332) - See ME883271.

From a newsgroup post: "I solved the problem. Something really odd was happening in the DNS configuration. While in the DNS console everything looked fine, in the SBS administration console, Computer management (local), Service and application, DNS there was something different: The zone was pointing to another address. I had to delete zone and recreate the reverse lookup zone manually. Then stop logon service, flush DNS and register DNS again with ipconfig /registerdns".

As per MSW2KDB, a network connectivity or configuration problem exists. Group Policy settings cannot be applied until the problem is fixed. See MSW2KDB for details on troubleshooting this problem.


We got this error every 5 minutes after we changed the DNS entry for the server. A reboot fixed it.
In my case, this problem was fixed by deleting and re-creating the Active Directory connections on all the DCs.
After applying the recommended security settings from Microsoft this event started to occur on the member servers running Windows 2003. The problem in our case was that the security settings were too hard. The security had to be loosened. Authenticated Users needs Read and System needs Full Control on the OU where the servers are located.
In our case, an apparently corrupt OU caused the servers in it to create the event ID 1000 (Userenv) with message: "Windows cannot determine the user or computer name. Return value (1317)", on Windows 2000 servers, and event ID 1053 (Userenv) with message "Windows cannot determine the user or computer name. (The specified user does not exist). Group Policy processing aborted", on Windows 2003 servers. In each case, the event appeared every 60 to 120 minutes (the machine’s policy update interval). Moving the servers back to “Computers” stopped the event. The OU looked and behaved normal otherwise. Deleting and creating the OU again (even with the same name) solved the problem.
Error: "Access is denied" (Error code 5) - From a newsgroup post: "The error occurred on WinXp Pro connected to W2K Server with active directory installed and running. The cause was I had my network settings for my internal nic screwed up. I disabled lmhost and netbui over tcp/ip."

Error: "The specified domain either does not exist or could not be contacted" (Error code 1355) - From a newsgroup post: "Make sure that your primary DNS server is the one authorative for the domain you are logging in to. To check this, at a command prompt (Start > Run > cmd) type "ipconfig /all". Review your DNS servers."
If the error occurred when you attempt to join a Microsoft Windows 2000-based client to a Microsoft Windows NT 4.0-based or Windows 2000-based domain see ME256083.
If you are using DHCP, make sure the DNS Server option (006) is set in your scope options.
Error: "The specified user does not exist" (Error code 1317) -  Verify the DNS Settings. This will occur if your DNS server is unable to resolve information about your domain.
From the newsgroup microsoft.public.windowsxp.basics, for the error "Not enough storage is available to complete this operation":
"As per ME263693, you need to either install the hotfix or the latest SP, and "increase the Kerberos Token size" on all of your machines by making the mentioned registry changes. The Q article doesn't contain the error message we are getting, but I have spoken to MS tech support, and this is the fix."

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.

Read more...

 

Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.

Read more...