Skip navigation

JSI Tip 4511. How do I interpret USERENV 1000 Events?

When you are having Group Policy application troubles, you may see an Event ID 1000, that looks like:

Event Type: Error 
Event Source: Userenv 
Event Category: None 
Event ID: 1000 
Date: date 
Time: time 
Computer: computer name 
Description: The Group Policy client-side extension Security was passed flags (17) and returned a failure status code of (1332).
The flags are decimal representations defined in the Userenv.h file. Windows 2000 does NOT use codes that are greater than 0x100, while Windows XP uses the full range. Here is an excerpt of the Userenv.h file:
#define GPO_INFO_FLAG_MACHINE 0x00000001 // 
Apply machine policy rather than user policy 
#define GPO_INFO_FLAG_BACKGROUND 0x00000010 // 
Background refresh of policy (ok to do slow stuff) 
#define GPO_INFO_FLAG_SLOWLINK 0x00000020 // 
Policy is being applied across a slow link 
#define GPO_INFO_FLAG_VERBOSE 0x00000040 // 
Verbose output to the eventlog 
#define GPO_INFO_FLAG_NOCHANGES 0x00000080 // 
No changes were detected to the Group Policy Objects 
#define GPO_INFO_FLAG_LINKTRANSITION 0x00000100 // 
A change in link speed was detected between previous policy application and current policy application 
A Change in Rsop Logging was detected between previous policy application and current policy application, (new intf only) 
#define GPO_INFO_FLAG_FORCED_REFRESH 0x00000400 // 
Forced Refresh is being applied. redo policies. 
#define GPO_INFO_FLAG_SAFEMODE_BOOT 0x00000800 // 
windows safe mode boot flag
If you convert the decimal representation of the flags value in the above sample event (17) to hexadecimal, you get 0x00000011. This means that both the GPO_INFO_FLAG_MACHINE (0x00000001) and the GPO_INFO_FLAG_BACKGROUND (0x00000010) flags are set.

You can also use the net helpmsg command to interpret the failure status code of (1332):

No mapping between account names and security IDs was done.

See tip 2059 » Security Policies Are Propagated with Warning. 0x534?

NOTE: See tip 7479 » A tool to interpret the Group Policy client-side extension Security flags.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.