Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net. The EventId.Net for Splunk Add-on assumes that Splunk is collecting information from Windows servers and workstation via the Splunk Universal Forwarder.
The Group Policy client-side extension IP Security failed to log RSOP (Resultant Set of Policy) data. Please look for any errors reported earlier by that extension.
|English: This information is only available to subscribers. An example of English, please!|
|Concepts to understand:|
What is the Group Policy?
What are the Group Policy client-side extensions?
What is the role of Userenv?
What is the Resultant Set of Policy?
See ME931352 for information about this event.
As per MSW2KDB, this error indicates that Windows Management Instrumentation (WMI) is not functioning correctly. As a result, the client-side extension can not process Resultant Set of Policy (RSoP) information. Even though Group Policy might have been successfully applied, the RSoP diagnostic information is not available.
Per Microsoft: “This behavior may occur if you have a Microsoft Windows 2000 domain that includes Windows Server 2003-based servers, and you apply Internet Protocol security (IPSec) policies by using Group Policy. These event messages appear in the Application event log every time that these policies are applied on the Windows Server 2003-based servers”. See ME823608 to fix this problem".
From a newsgroup post: "Please perform the following actions and check how things go after each step:
1. At the cmd line enter (run the following commands from the windows\system32\wbem folder and hit enter after each line):
- mofcomp exwmi.mof.
- mofcomp -n:root\cimv2\applications\exchange wbemcons.mof.
- mofcomp -n:root\cimv2\applications\exchange smtpcons.mof.
- mofcomp exmgmt.mof.
- mofcomp rsop.mof.
- mofcomp rsop.mfl.
- cd back down one level to windows\system32 and run the following:
- regsvr32 /n /i userenv.dll.
- reboot the system.
- After the reboot, you should no longer see the event. However if you still see event 1091 after reboot, re-register the security client dll by running the following commands:
- regsvr32 /u scecli.dll.
- regsvr32 scecli.dll.
2. Perform a gpupdate and see if event 1090 from source Userenv is gone.
3. If the event is still present, read ME281888 for further troubleshooting information.
4. Run the following switches:
winmgmt /regserver winmgmt /resyncperf winmgmt –e.
5. Reboot and perform a gpupdate. See if the event is gone".
After installing Windows 2003 SP1 and SBS 2003 SP1 the problem still existed. The problem seemed to be caused by a Group Policy (Default Domain Controller Policy) that contained some damaged/corrupt IPSec settings. No IPSec settings were visible in the policy but because the GPO was corrupted. I copied the settings of the Corrupt Group Policy to a new policy and disabled the corrupt Group Policy. This solved our problem. To check if the problem is caused by a corrupted IPSec policy, look for the file "gptext.log" (C:\%windows dir%\debug\usermode\gptext.log). This logfile contains all the IPsec policy errors.
This problem is caused due to having Folder Redirection enabled and the use of Group Policy to set the user's internet connection settings. See ME888254 for a hotfix applicable to Microsoft Windows XP.
|Private comment: Subscribers only. See example of private comment|
|Search: Google - Bing - Microsoft - Yahoo - EventID.Net Queue (1) - More links...|
|Custom search for *****: Google - Bing - Microsoft - Yahoo|
Send comments or solutions
- Notify me when updated