Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 1091 Source: Userenv

Source
Level
Description
The Group Policy client-side extension IP Security failed to log RSOP (Resultant Set of Policy) data. Please look for any errors reported earlier by that extension.
Comments
 
See ME931352 for information about this event.
As per MSW2KDB, this error indicates that Windows Management Instrumentation (WMI) is not functioning correctly. As a result, the client-side extension can not process Resultant Set of Policy (RSoP) information. Even though Group Policy might have been successfully applied, the RSoP diagnostic information is not available.

Per Microsoft: “This behavior may occur if you have a Microsoft Windows 2000 domain that includes Windows Server 2003-based servers, and you apply Internet Protocol security (IPSec) policies by using Group Policy. These event messages appear in the Application event log every time that these policies are applied on the Windows Server 2003-based servers”. See ME823608 to fix this problem".

From a newsgroup post: "Please perform the following actions and check how things go after each step:
1. At the cmd line enter (run the following commands from the windows\system32\wbem folder and hit enter after each line):
- mofcomp exwmi.mof.
- mofcomp -n:root\cimv2\applications\exchange wbemcons.mof.
- mofcomp -n:root\cimv2\applications\exchange smtpcons.mof.
- mofcomp exmgmt.mof.
- mofcomp rsop.mof.
- mofcomp rsop.mfl.
- cd back down one level to windows\system32 and run the following:
- regsvr32 /n /i userenv.dll.
- reboot the system.
- After the reboot, you should no longer see the event. However if you still see event 1091 after reboot, re-register the security client dll by running the following commands:
- regsvr32 /u scecli.dll.
- regsvr32 scecli.dll.
2. Perform a gpupdate and see if event 1090 from source Userenv is gone.
3. If the event is still present, read ME281888 for further troubleshooting information.
4. Run the following switches:
winmgmt /regserver winmgmt /resyncperf winmgmt –e.
5. Reboot and perform a gpupdate. See if the event is gone".
After installing Windows 2003 SP1 and SBS 2003 SP1 the problem still existed. The problem seemed to be caused by a Group Policy (Default Domain Controller Policy) that contained some damaged/corrupt IPSec settings. No IPSec settings were visible in the policy but because the GPO was corrupted. I copied the settings of the Corrupt Group Policy to a new policy and disabled the corrupt Group Policy. This solved our problem. To check if the problem is caused by a corrupted IPSec policy, look for the file "gptext.log" (C:\%windows dir%\debug\usermode\gptext.log). This logfile contains all the IPsec policy errors.
This problem is caused due to having Folder Redirection enabled and the use of Group Policy to set the user's internet connection settings. See ME888254 for a hotfix applicable to Microsoft Windows XP.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.

Read more...

 

Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.

Read more...