Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 6004 Source: Microsoft-Windows-Winlogon

Level
Description
The Winlogon notification subscriber <subscriber> failed a critical notification event.
Comments
 
If the security settings for the user registry (ntuser.dat/ntuser.man and UsrClass.dat) do not allow the user to read or modify their own registry, this error may occur. This is a typical case when the user profile is being accessed on a different computer, or the underlying account is different, such as when a local account is created and the profile is transferred for use as a mandatory profile with a domain account.

If this is the case, to replace the SID, load the registry to a hive such as HKU\user with regedit.exe. Look at the security settings for the hive, and if an unresolved (unknown) SID exists, it is probably the old SID for the user. In advanced settings, note the SID, to be copied and pasted in a moment. Then, obtain setacl.exe and run a command such as the following, where n1 is a paste of the SID that needs replacing, and n2 specifies the Username to replace it with, aka the username of the account whose hive you loaded:

setacl.exe -on "HKU\user" -ot reg -actn trustee -rec yes -trst "n1:S-1-5-21-555555555-555555555-5555555555-5555, n2:UserName, s1:y, ta:repltrst, w:dacl"

Do this for both ntuser.dat/ntuser.man and UsrClass.dat.
From a newsgroup post:
<Subscriber> = GPClient. Caused when creating mandatory profiles on  Windows 2008 Terminal Server. To solve, create mandatory profiles as follows:

1. Create a test account (e.g. TestUser) that has permissions to login to the TS.  Do not set a path for a TS profile (e.g. \\TermSrvr01\TSProfiles\Mandatory\Inspection)
2. Log in to the TS as TestUser.  This will create a local profile under C:\Users\TestUser
3. Modify the desktop icons, background, etc. like you want for the mandatory profile.  Log out.
4. Log in to the TS as Administrator
5. Open System Properties (Windows + Break keys),
6. Click on the Advanced System Settings  link. Click on the Advanced tab.
7. Under User Profiles, click the Settings button.
8. From the profile list, highlight the local profile for TestUser.  Click the CopyTo button.
9. Under Copy Profile to , type the path to a non-existent folder that will contain the mandatory profile.  You must append .V2  to the folder name.  In my example:  \\TermSrvr01\TSProfiles\Mandatory\Inspection.V2
10. Under Permitted to use , click the Change button.
11. Click "Objects Types" button and check the Group checkbox.
12. Under Enter the object name , enter a security group that TestUser is a member. Click OK.
13. Click OK to start the copy (the folder with .V2 extension will be created).
14. Browse to the mandatory profile folder, rename NTUSER.DAT to NTUSER.MAN.
15. Done.
16. Important note!  When assigning the TS profile path to user accounts DO NOT include the .V2 extension on the folder path.  In my example: \\TermSrvr01\TSProfiles\Mandatory\Inspection
This issue may occur if the user profile was manually deleted by using the command prompt or by using Windows Explorer. See ME947215 for information on solving this problem.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.

Read more...

 

Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.

Read more...