USERENV 1000 Events

by Wayne Maples [Published on 20 April 2004 / Last Updated on 20 April 2004]

Group Policy problems generate Event ID: 1000 error messages in the event log. The following message is a typical:

Event Type: Error 
Event Source: Userenv 
Event Category: None 
Event ID: 1000 
Date: date 
Time: time 
User: NT AUTHORITY\SYSTEM 
Computer: computer name 

Description: The Group Policy client-side extension Security was 
passed flags (17) and returned a failure status code of (1332). 

The flags that are passed are a decimal representation of flags that are defined in the Userenv.h Windows 2000-based computers do not use codes that are greater than 0x100 while Windows XP-based computers use the entire range. Excerpt from Userenv.h:

#define GPO_INFO_FLAG_MACHINE 0x00000001 // 
Apply machine policy rather than user policy 
#define GPO_INFO_FLAG_BACKGROUND 0x00000010 // 
Background refresh of policy (ok to do slow stuff) 
#define GPO_INFO_FLAG_SLOWLINK 0x00000020 // 
Policy is being applied across a slow link 
#define GPO_INFO_FLAG_VERBOSE 0x00000040 // 
Verbose output to the eventlog 
#define GPO_INFO_FLAG_NOCHANGES 0x00000080 // 
No changes were detected to the Group Policy Objects 
#define GPO_INFO_FLAG_LINKTRANSITION 0x00000100 // 
A change in link speed was detected between previous policy application and current policy application 
#define GPO_INFO_FLAG_LOGRSOP_TRANSITION 0x00000200 // 
A Change in Rsop Logging was detected between previous policy application and current policy application, (new intf only) 
#define GPO_INFO_FLAG_FORCED_REFRESH 0x00000400 // 
Forced Refresh is being applied. redo policies. 
#define GPO_INFO_FLAG_SAFEMODE_BOOT 0x00000800 // 
windows safe mode boot flag 

Convert decimal flag value that is specified in the event message (17) to hexadecimal: 0x00000011. From the excerpt: both the GPO_INFO_FLAG_MACHINE and GPO_INFO_FLAG_BACKGROUND flags are set. The failure status code in the event is a Win32 error code. You can translate the error message to a more readable message by using the net helpmsg command. For example, if you type net helpmsg 1332 at a command prompt and then press ENTER, you receive a "No mapping between account names and security IDs was done" message. This error is caused (in this case) by a policy that is assigning a user right to an SID for a deleted user.

Related tips:

See Also

Featured Links