Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net. The EventId.Net for Splunk Add-on assumes that Splunk is collecting information from Windows servers and workstation via the Splunk Universal Forwarder.
The Winlogon notification subscriber <subscriber> failed a critical notification event.
|English: Request a translation of the event description in plain English.|
If the security settings for the user registry (ntuser.dat/ntuser.man and UsrClass.dat) do not allow the user to read or modify their own registry, this error may occur. This is a typical case when the user profile is being accessed on a different computer, or the underlying account is different, such as when a local account is created and the profile is transferred for use as a mandatory profile with a domain account.
If this is the case, to replace the SID, load the registry to a hive such as HKU\user with regedit.exe. Look at the security settings for the hive, and if an unresolved (unknown) SID exists, it is probably the old SID for the user. In advanced settings, note the SID, to be copied and pasted in a moment. Then, obtain setacl.exe and run a command such as the following, where n1 is a paste of the SID that needs replacing, and n2 specifies the Username to replace it with, aka the username of the account whose hive you loaded:
setacl.exe -on "HKU\user" -ot reg -actn trustee -rec yes -trst "n1:S-1-5-21-555555555-555555555-5555555555-5555, n2:UserName, s1:y, ta:repltrst, w:dacl"
Do this for both ntuser.dat/ntuser.man and UsrClass.dat.
From a newsgroup post:
<Subscriber> = GPClient. Caused when creating mandatory profiles on Windows 2008 Terminal Server. To solve, create mandatory profiles as follows:
1. Create a test account (e.g. TestUser) that has permissions to login to the TS. Do not set a path for a TS profile (e.g. \\TermSrvr01\TSProfiles\Mandatory\Inspection)
2. Log in to the TS as TestUser. This will create a local profile under C:\Users\TestUser
3. Modify the desktop icons, background, etc. like you want for the mandatory profile. Log out.
4. Log in to the TS as Administrator
5. Open System Properties (Windows + Break keys),
6. Click on the Advanced System Settings link. Click on the Advanced tab.
7. Under User Profiles, click the Settings button.
8. From the profile list, highlight the local profile for TestUser. Click the CopyTo button.
9. Under Copy Profile to , type the path to a non-existent folder that will contain the mandatory profile. You must append .V2 to the folder name. In my example: \\TermSrvr01\TSProfiles\Mandatory\Inspection.V2
10. Under Permitted to use , click the Change button.
11. Click "Objects Types" button and check the Group checkbox.
12. Under Enter the object name , enter a security group that TestUser is a member. Click OK.
13. Click OK to start the copy (the folder with .V2 extension will be created).
14. Browse to the mandatory profile folder, rename NTUSER.DAT to NTUSER.MAN.
16. Important note! When assigning the TS profile path to user accounts DO NOT include the .V2 extension on the folder path. In my example: \\TermSrvr01\TSProfiles\Mandatory\Inspection
This issue may occur if the user profile was manually deleted by using the command prompt or by using Windows Explorer. See ME947215 for information on solving this problem.
|Private comment: Subscribers only. See example of private comment|
|Search: Google - Bing - Microsoft - Yahoo - EventID.Net Queue (0) - More links...|
|Custom search for *****: Google - Bing - Microsoft - Yahoo|
Send comments or solutions
- Notify me when updated