Microsoft KB Archive/909260

= Events 1101 and 1030 are logged in the Application log when you join a computer to a Windows 2000 Server-based Active Directory domain =

Article ID: 909260

Article Last Modified on 11/1/2006

-

APPLIES TO


 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows Server 2003, Web Edition
 * Microsoft Windows XP Professional
 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Datacenter Server

-





SYMPTOMS
When you join a computer that is running Microsoft Windows XP Professional or Microsoft Windows Server 2003 to a Microsoft Windows 2000 Server-based Active Directory domain, the following Error event entries may appear in the Application log: Event ID: 1101

Category: None

Source: Userenv

Type: Error

Description: Windows cannot access the the object  in Active Directory. The access to the object may be denied. Group Policy processing aborted.

Event ID: 1030

Category: None

Source: Userenv

Type: Error

Description: Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this.

If you enable user environment debug logging, the following entries are logged: ProcessGPOs: User name is:  UserOrComputerDN, Domain name is:  DomainName ProcessGPOs: Domain controller is: \\DC FQDN Domain DN is DomainName ... EvaluateDeferredOUs: Object OUName cannot be accessed GetGPOInfo: EvaluateDeferredOUs failed. Exiting Note In these entries,  is the parent organizational unit (OU) of the user account or of a computer object.



CAUSE
This problem occurs because the Group Policy engine in Windows XP Professional and Windows Server 2003 does not have read permissions to the following attributes of the parent OUs:
 * gPLink
 * gPOptions

If the Group Policy engine does not have these permissions, the Group Policy engine cannot apply Group Policy settings.

In Microsoft Windows 2000 Server, the events that are described in the &quot;Symptoms&quot; section are not logged. However, the Group Policy engine in Windows 2000 Server also cannot apply Group Policy settings that are linked to the OU.

By default, access to all OUs is granted according to an access control entry in the default security descriptor. This security descriptor is part of the schema that enables the Authenticated Users group to read all the properties.



RESOLUTION
To resolve this problem, grant sufficient permissions to access the parent OUs to all the user accounts and to all the computers that apply Group Policy settings through the OUs.



MORE INFORMATION
For more information about how to enable user environment debug logging, click the following article number to view the article in the Microsoft Knowledge Base:

221833 How to enable user environment debug logging in retail builds of Windows

Keywords: kbeventlog kbprb kbtshoot KB909260

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.