USERENV 1000 Events

Group Policy problems generate Event ID: 1000 error messages in the event log. The following message is a typical:

Event Type: Error

Event Source: Userenv

Event Category: None

Event ID: 1000

Date: date

Time: time

User: NT AUTHORITY\SYSTEM

Computer: computer name 

Description: The Group Policy client-side extension Security was

passed flags (17) and returned a failure status code of (1332).

The flags that are passed are a decimal representation of flags that are defined in the Userenv.h Windows 2000-based computers do not use codes that are greater than 0x100 while Windows XP-based computers use the entire range. Excerpt from Userenv.h:

#define GPO_INFO_FLAG_MACHINE 0x00000001 //

Apply machine policy rather than user policy

#define GPO_INFO_FLAG_BACKGROUND 0x00000010 //

Background refresh of policy (ok to do slow stuff)

#define GPO_INFO_FLAG_SLOWLINK 0x00000020 //

Policy is being applied across a slow link

#define GPO_INFO_FLAG_VERBOSE 0x00000040 //

Verbose output to the eventlog

#define GPO_INFO_FLAG_NOCHANGES 0x00000080 //

No changes were detected to the Group Policy Objects

#define GPO_INFO_FLAG_LINKTRANSITION 0x00000100 //

A change in link speed was detected between previous policy application and current policy application

#define GPO_INFO_FLAG_LOGRSOP_TRANSITION 0x00000200 //

A Change in Rsop Logging was detected between previous policy application and current policy application, (new intf only)

#define GPO_INFO_FLAG_FORCED_REFRESH 0x00000400 //

Forced Refresh is being applied. redo policies.

#define GPO_INFO_FLAG_SAFEMODE_BOOT 0x00000800 //

windows safe mode boot flag

Convert decimal flag value that is specified in the event message (17) to hexadecimal: 0x00000011. From the excerpt: both the GPO_INFO_FLAG_MACHINE and GPO_INFO_FLAG_BACKGROUND flags are set. The failure status code in the event is a Win32 error code. You can translate the error message to a more readable message by using the net helpmsg command. For example, if you type net helpmsg 1332 at a command prompt and then press ENTER, you receive a “No mapping between account names and security IDs was done” message. This error is caused (in this case) by a policy that is assigning a user right to an SID for a deleted user.

Related tips:

• Every five minutes the following event error messages are added to the Application log …
  
• Event ID 1000,1001 Is Logged Every 5 Minutes in the Application Event Log
  
• Event ID 101 and Event ID 1000 Messages May Be Displayed When Folder Redirection Is Set Up with Group Policy
  
• Error Messages Every 5 Minutes Report Events 1000, 1001, and 13508, Citing Replication Trouble
  
• Event ID1000 and Event ID 1202 Messages Are Reported When You Set Security on the File Replication Service by Using Group Policy
  
• Event IDs 1000, 1202, 412 and 454 Are Logged Repeatedly in the Application Event Log
  
• SceCli Event ID 1001 and UserEnv Event ID 1000 When Dfs Client Is Disabled
  
• Event ID 1000 and 1202 After Configuring Policies
  
• Event ID: 1000 Due to Trailing Blank Space in User Profile Path
  
• DNS, Intersite Messaging, Global Catalog, NTFRS, and “Invalid Credentials” Error Messages on Domain Controller