Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 1090 Source: Userenv

Source
Level
Description
Windows couldn't log the RSoP (Resultant Set of Policies) session status. An attempt to connect to WMI failed. No more RSoP logging will be done for this application of policy.
Comments
 
I was receiving this issue across several Windows XP Professional SP2 machines. gpresult yielded "ERROR: Logon failure: unknown user name or bad password" and the policy was not getting applied to some of the PCs. Long story short, the problem was related to ME894794. I have not yet applied the patch but removing all my service settings in the Policy (Computer -> Windows Settings -> Security Settings -> System Services) cleared things up nicely.
A miss-configuration by an application developer caused Logical Disk manager, rsop.msc, and WSUS updates to fail on Windows 2003 Enterprise SP1 server. To resolve the problem, go to Start -> Programs -> Administrative Tools -> Component Services. Here, select Component Services under the Console Root -> Computers -> My Computer. Right click My Computer -> Properties. Select the Default Properties tab. Select Default Authentication Level: “Connect" and Default Impersonation Level: "Identify". This restored the functionality.
As per Microsoft: "The Resultant Set of Policy (RSoP) information for this application of Group Policy could not be processed. Even though Group Policy might have been successfully applied, the RSoP diagnostic information is not available". See MSW2KDB for details on this problem.

From a newsgroup post, from a Microsoft Engineer: "It could be that there is a problem with WMI on this machine.  You can try recreating some of the WMI files using the steps below:
1 Stop the Windows Management Instrumentation service.
2 Go to the %SystemRoot%\System32\Wbem\Repository folder.
3. Delete all of the files that are in the %SystemRoot%\System32\Wbem\Repository folder.
4 Restart the computer. The files that were deleted are recreated when the computer restarts.
The Windows Management Instrumentation service will start automatically when you restart the computer".

In addition, "Error messages for RSoP" might be of some help. See the link below. "Windows Management Instrumentation FAQ" provides information on WMI.
In one case this happed on a Windows XP SP2 computer after it was added to a Windows 2003 domain and the computer was restarted twice (once as part of the procedure for adding the computer to the domain and an extra one). No Windows 2003 computers configured the same way had this problem. Other symptoms: Alternate-clicking "My Network Places" resulted in an empty dialog box. Starting NTBACKUP resulted in an extra dialog box with the message "The Backup Utility cannot connect to the Removable Storage service". Starting Norton Ghost 2003 resulted in a dialog box with the message "Couldn't contact Ghost Start Agent. (0x80070005)". When I tried to install the Microsoft Windows XP SP2 Support Tools, I got a dialog box with the message "Microsoft Installer failed".

The Event ID appeared on a domain controller running Windows 2003 and the computer named in the description was a workstation running Windows XP SP2. This appeared after Group Policy changes on the domain controller were made and after the workstation was restarted twice (once to pick up the change in Group Policy and again to be affected by it at Windows startup).

The relevant part of the Default Domain Policy that caused this is shown in condensed form below:

Console Root
  {Group Policy}
    Computer Configuration
      Software Settings
        Windows Settings
          Scripts (Startup/Shutdown)
          Security Settings
            Account Policies
            Local Policies
              Audit Policy
                User Rights Assignment
                  Impersonate a client after authentication <MyGroup>.

Resolution: Change the above policy setting for Impersonate a client after authentication to: Administrators, <MyGroup>, SERVICE.

Restart the workstation twice (once to pick up the change in Group Policy and again to be affected by it at Windows startup).
I use this whenever I have this error and it works better than deleting and refreshing the repository:
   cd /d %windir%\system32.
   regsvr32 /n /I userenv.dll.
   cd wbem.
   mofcomp scersop.mof.
   gpupdate /force


Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.

Read more...

 

Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.

Read more...