Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net. The EventId.Net for Splunk Add-on assumes that Splunk is collecting information from Windows servers and workstation via the Splunk Universal Forwarder.
Windows couldn't log the RSoP (Resultant Set of Policies) session status. An attempt to connect to WMI failed. No more RSoP logging will be done for this application of policy.
|English: This information is only available to subscribers. An example of English, please!|
|Concepts to understand:|
What is WMI?
What is the role of Userenv?
What is the Resultant Set of Policy?
I was receiving this issue across several Windows XP Professional SP2 machines. gpresult yielded "ERROR: Logon failure: unknown user name or bad password" and the policy was not getting applied to some of the PCs. Long story short, the problem was related to ME894794. I have not yet applied the patch but removing all my service settings in the Policy (Computer -> Windows Settings -> Security Settings -> System Services) cleared things up nicely.
A miss-configuration by an application developer caused Logical Disk manager, rsop.msc, and WSUS updates to fail on Windows 2003 Enterprise SP1 server. To resolve the problem, go to Start -> Programs -> Administrative Tools -> Component Services. Here, select Component Services under the Console Root -> Computers -> My Computer. Right click My Computer -> Properties. Select the Default Properties tab. Select Default Authentication Level: “Connect" and Default Impersonation Level: "Identify". This restored the functionality.
As per Microsoft: "The Resultant Set of Policy (RSoP) information for this application of Group Policy could not be processed. Even though Group Policy might have been successfully applied, the RSoP diagnostic information is not available". See MSW2KDB for details on this problem.
From a newsgroup post, from a Microsoft Engineer: "It could be that there is a problem with WMI on this machine. You can try recreating some of the WMI files using the steps below:
1 Stop the Windows Management Instrumentation service.
2 Go to the %SystemRoot%\System32\Wbem\Repository folder.
3. Delete all of the files that are in the %SystemRoot%\System32\Wbem\Repository folder.
4 Restart the computer. The files that were deleted are recreated when the computer restarts.
The Windows Management Instrumentation service will start automatically when you restart the computer".
In addition, "Error messages for RSoP" might be of some help. See the link below. "Windows Management Instrumentation FAQ" provides information on WMI.
In one case this happed on a Windows XP SP2 computer after it was added to a Windows 2003 domain and the computer was restarted twice (once as part of the procedure for adding the computer to the domain and an extra one). No Windows 2003 computers configured the same way had this problem. Other symptoms: Alternate-clicking "My Network Places" resulted in an empty dialog box. Starting NTBACKUP resulted in an extra dialog box with the message "The Backup Utility cannot connect to the Removable Storage service". Starting Norton Ghost 2003 resulted in a dialog box with the message "Couldn't contact Ghost Start Agent. (0x80070005)". When I tried to install the Microsoft Windows XP SP2 Support Tools, I got a dialog box with the message "Microsoft Installer failed".
The Event ID appeared on a domain controller running Windows 2003 and the computer named in the description was a workstation running Windows XP SP2. This appeared after Group Policy changes on the domain controller were made and after the workstation was restarted twice (once to pick up the change in Group Policy and again to be affected by it at Windows startup).
The relevant part of the Default Domain Policy that caused this is shown in condensed form below:
User Rights Assignment
Impersonate a client after authentication <MyGroup>.
Resolution: Change the above policy setting for Impersonate a client after authentication to: Administrators, <MyGroup>, SERVICE.
Restart the workstation twice (once to pick up the change in Group Policy and again to be affected by it at Windows startup).
I use this whenever I have this error and it works better than deleting and refreshing the repository:
cd /d %windir%\system32.
regsvr32 /n /I userenv.dll.
|Private comment: Subscribers only. See example of private comment|
|Links: Error messages for RSoP, Windows Management Instrumentation FAQ|
|Search: Google - Bing - Microsoft - Yahoo - EventID.Net Queue (0) - More links...|
|Custom search for *****: Google - Bing - Microsoft - Yahoo|
Send comments or solutions
- Notify me when updated