Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 1704 Source: SceCli

Security policy in the Group policy objects are applied successfully.
This events is recorded after each succesful refresh of a Windows 2000 security policy. It can also be generated at regular intervals, depending on the settings of the Security Policy Refresh (for example, on the operational master domain controller, the default refresh interval is 5 minutes). The Group Policy Refresh interval can be set by accessing the "computer Configuration\Administrative Templates\System\Group" node in the group policy.

A stand-alone server is updated every approx. 17 hours. The security policy update can be initiated manually using the commands:
secedit /refreshpolicy machine_policy
secedit /refreshpolicy user_policy
depending on what part of the security policy you want to update.
The policies are automatically applied at startup (the machine policy) or when during the user logon (user policy).
See ME234237, ME250874, ME324800 and ME887442 for specific situations in which this event occurs.
See ME884559 for a hotfix applicable to Microsoft Windows 2000.
If you notice excessive amounts of 1704 eventlog entries it might be because the system was set up with sysprep. Sysprep erroneously sets the data value of MaxNoGPOListChangesInterval to 1, causing the GPO to reload on every startup.

To workaround this issue, reset HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\MaxNoGPOListChangesInterval to decimal 960 (0x3c0), 16 hours, the default for this REG_DWORD data type.

NOTE: MaxNoGPOListChangesInterval is the number of minutes that the Group Policy Extension is to be skipped because the policy has not changed.
See the "Windows 2000 Group Policy" white paper for details about group policies.

ME277543 article describes how to delay the security policy from being applied when no changes have been made in the Group Policy object.
The event can be recorded after running the "Secedit /refreshpolicy machine_policy" command. This command tells the server to check Active Directory for any updates to the policy and, if there are any, to download them immediately. The event occurs if the policy is downloaded successfully. See TechNet article regarding "Internet Data Center Security Solutions" for details.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to



Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.