Skip navigation
Menu
Compute Engines

JSI Tip 4511. How do I interpret USERENV 1000 Events?


When you are having Group Policy application troubles, you may see an Event ID 1000, that looks like:

Event Type: Error 
Event Source: Userenv 
Event Category: None 
Event ID: 1000 
Date: date 
Time: time 
User: NT AUTHORITY\SYSTEM 
Computer: computer name 
Description: The Group Policy client-side extension Security was passed flags (17) and returned a failure status code of (1332).
The flags are decimal representations defined in the Userenv.h file. Windows 2000 does NOT use codes that are greater than 0x100, while Windows XP uses the full range. Here is an excerpt of the Userenv.h file: 
#define GPO_INFO_FLAG_MACHINE 0x00000001 // 
Apply machine policy rather than user policy 
#define GPO_INFO_FLAG_BACKGROUND 0x00000010 // 
Background refresh of policy (ok to do slow stuff) 
#define GPO_INFO_FLAG_SLOWLINK 0x00000020 // 
Policy is being applied across a slow link 
#define GPO_INFO_FLAG_VERBOSE 0x00000040 // 
Verbose output to the eventlog 
#define GPO_INFO_FLAG_NOCHANGES 0x00000080 // 
No changes were detected to the Group Policy Objects 
#define GPO_INFO_FLAG_LINKTRANSITION 0x00000100 // 
A change in link speed was detected between previous policy application and current policy application 
#define GPO_INFO_FLAG_LOGRSOP_TRANSITION 0x00000200 // 
A Change in Rsop Logging was detected between previous policy application and current policy application, (new intf only) 
#define GPO_INFO_FLAG_FORCED_REFRESH 0x00000400 // 
Forced Refresh is being applied. redo policies. 
#define GPO_INFO_FLAG_SAFEMODE_BOOT 0x00000800 // 
windows safe mode boot flag
If you convert the decimal representation of the flags value in the above sample event (17) to hexadecimal, you get 0x00000011. This means that both the GPO_INFO_FLAG_MACHINE (0x00000001) and the GPO_INFO_FLAG_BACKGROUND (0x00000010) flags are set.

You can also use the net helpmsg command to interpret the failure status code of (1332):

No mapping between account names and security IDs was done.

See tip 2059 » Security Policies Are Propagated with Warning. 0x534?

NOTE: See tip 7479 » A tool to interpret the Group Policy client-side extension Security flags.



Hide comments

More information about text formats

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish
Recommended Reading
empty cockpit of autonomous car
What Is a Real-Time Operating System, and Who Needs One?
Mar 05, 2024
ERP button on keyboard
5 ERP Trends to Watch in 2024
Jan 17, 2024
automation key on keyboard
Storage Management as a Case Study for Network Automation Adoption
Dec 21, 2023
Abstract technology concept lighting effect on dark blue background
Top 10 Stories About Compute Engines, Linux in 2023
Dec 18, 2023