Microsoft KB Archive/290647

= Event ID 1000, 1001 is logged every five minutes in the Application event log =

Article ID: 290647

Article Last Modified on 11/1/2006

-

APPLIES TO


 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server

-



This article was previously published under Q290647



SYMPTOMS
Group Policy settings are not replicated between domain controllers. Therefore, users do not receive Group Policy settings for computers. The following events appear in the Application log in Microsoft Windows Server 2003:

Event Type: Error

Event Source: Userenv

Event Category: None

Event ID: 1058

Description: Windows cannot access the file gpt.ini for GPO CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=domainname,DC=com. The file must be present at the location <\\domainname.com\sysvol\domainname.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984 F9}\gpt.ini>. (Error_Message). Group Policy processing aborted. For more information, see Help and Support Center at http://support.microsoft.com.

Event Type: Error

Event Source: Userenv

Event Category: None

Event ID: 1030

Description: Windows cannot query for the list of Group Policy objects. A message that describes the reason for this was previously logged by the policy engine. For more information, see Help and Support Center at http://support.microsoft.com.

Additionally, the following events may appear in the Application log every five minutes in Microsoft Windows 2000 Server:

Event Type: Error

Event ID: 1000

Source: Userenv

Category: None

User: NT AUTHORITY\SYSTEM

Description: Windows cannot access the registry information at \\ \sysvol\ \Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\registry.pol with (5).

Event Type: Error

Event ID: 1001

Source: SceCli

Category: None

User: N/A

Description: Security policy cannot be propagated. Cannot access the template. Error code =3. \\ \sysvol\ \Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.

Event Type: Error

Event ID: 1000

Source: Userenv

Category: None

User: NT AUTHORITY\SYSTEM

Description: The Group Policy client-side extension Security was passed flags (17) and returned a failure status code of (3).



CAUSE
This issue may occur if you assign incorrect permissions to the %SystemRoot%\Winnt\Sysvol folder or if you assign incorrect groups to Bypass Traverse Checking User Rights Assignment. Additionally, this issue may occur if the sysvol share permissions are too restrictive.



RESOLUTION
To resolve this issue, use one of the following methods, depending on your operating system:

Windows Server 2003
 Set the folder security permissions. To do this, follow these steps:  In Windows Explorer, right-click the %SystemRoot%\Windows\Sysvol folder, and then click Properties. On the Security tab, click Advanced, click to clear the Allow inheritable permissions from parent to propagate to this object check box, and then click OK. Make sure that the security settings match the following settings, and then click OK:

Administrators: Full Control

Authenticated Users: Read, Read & Execute, and List Folder Contents

Creator Owner: Nothing selected

Server Operators: Read, Read & Execute, and List Folder Contents

System: Full Control

 Right-click the %SystemRoot%\Windows\Sysvol\Sysvol folder, and then click Properties. On the Security tab, click Advanced, click to clear the Allow inheritable permissions from parent to propagate to this object check box, and then click OK two times. Right-click the %SystemRoot%\Winnt\Sysvol\Sysvol\  folder, and then click Properties.</li> On the Security tab, click Advanced, click to clear the Allow inheritable permissions from parent to propagate to this object check box, and then click OK two times.</li> Right-click the %SystemRoot%\Winnt\Sysvol\Sysvol\ \Policies folder, and then click Properties.</li> On the Security tab, click Advanced, click to clear the Allow inheritable permissions from parent to propagate to this object check box, and then click OK. Make sure that the security settings match the following settings, and then click OK:

Administrators: Full Control

Authenticated Users: Read, Read & Execute, and List Folder Contents

Creator Owner: Nothing selected

Group Policy Creator Owners: Read, Read & Execute, List Folder Contents, Modify, and Write

Server Operators: Read, Read & Execute, and List Folder Contents

System: Full Control

</li> For each file or folder that is located in the %SystemRoot%\Winnt\Sysvol\Sysvol\ \Policies folder, right-click the file or folder, and then click Properties.</li> On the Security tab, click Advanced, click to select the Allow inheritable permissions from parent to propagate to this object check box, and then click OK two times.</li></ol> </li> Open Active Directory Users and Computers. To do this, click Start, click All Programs, and then click Administrative Tools.</li> Expand Active Directory Users and Computers, expand the domain name, right-click Domain Controllers, and then click Properties.</li> On the Group Policy tab, click Default Domain Controllers Policy, and then click Edit.

Note The Edit button is not available if the Group Policy Management Console is installed. In this scenario, click Open to start the Group Policy Management Console, expand  , expand Domain Controllers, right-click Default Domain Controllers Policy, and then click Edit.

For additional information about the Group Policy Management Console, visit the following Microsoft Web site:

http://www.microsoft.com/windowsserver2003/gpmc/default.mspx

</li> Expand the following folders:

Computer Configuration

Windows Settings

Security Settings

Local Policies

</li> Click User Rights Assignment, and then double-click Bypass traverse checking. The following default settings should be present:

Authenticated Users

Everyone

Administrators

To add these groups if they are not present, click Add User or Group, and then click Browse.</li> Click Start, click Run, type gpupdate, and then click OK.</li> Verify that the sysvol share permissions are set correctly, as follows:

Administrators = Full Control

Authenticated Users = Full Control

Everyone = Read

</li></ol>

Note If this procedure does not resolve the issue, or if you have problems accessing the Global Policy, examine the binding order on the server to make sure the internal network adaptor is first in the binding order list. To examine the binding order, follow these steps:
 * 1) Right-click My Network Places, and then click Properties.
 * 2) On the Advanced menu, click Advanced Settings.
 * 3) In the Connections box, make sure that the internal network adaptor is listed first. If it is not, use the arrows to move it to the top of the list.

Windows 2000 Server
<ol> Set the folder security permissions. To do this, follow these steps: <ol style="list-style-type: lower-alpha;"> In Windows Explorer, right-click the %SystemRoot%\Winnt\Sysvol folder, and then click Properties.</li> On the Security tab, clear the Allow inheritable permissions from parent to propagate to this object check box, and then make sure that the security settings match the following:

Administrators: Full Control

Authenticated Users: Read, Read & Execute, and List Folder Contents

Creator Owner: Nothing selected

Server Operators: Read, Read & Execute, and List Folder Contents

System: Full Control

</li> Click OK.</li> <li>Right-click the %SystemRoot%\Winnt\Sysvol\Sysvol folder, and then click Properties.</li> <li>On the Security tab, select the Allow inheritable permissions from parent to propagate to this object check box, and then click OK.</li> <li>Right-click the %SystemRoot%\Winnt\Sysvol\Sysvol\ : folder, and then click Properties.</li> <li>On the Security tab, select the Allow inheritable permissions from parent to propagate to this object check box, and then click OK.</li> <li>Right-click the %SystemRoot%\Winnt\Sysvol\Sysvol\ \Policies folder, and then click Properties.</li> <li>On the Security tab, clear the Allow inheritable permissions from parent to propagate to this object check box, and then make sure that the security settings match the following:

Administrators: Full Control

Authenticated Users: Read, Read & Execute, and List Folder Contents

Creator Owner: Nothing selected

Group Policy Creator Owners: Read, Read & Execute, List Folder Contents, Modify, and Write

Server Operators: Read, Read & Execute, and List Folder Contents

System: Full Control

</li> <li>Click OK.</li> <li>For each file or folder that is located in the %SystemRoot%\Winnt\Sysvol\Sysvol\ \Policies folder, right-click the file or folder, and then click Properties. On the Security tab, select the Allow inheritable permissions from parent to propagate to this object check box, and then click OK.</li></ol> </li> <li>Open Active Directory Users and Computers: Click Start, click Programs, and then click Administrative Tools.</li> <li>Expand Active Directory Users and Computers, and then expand the domain name.</li> <li>Right-click Domain Controllers, and then click Properties.</li> <li>On the Group Policy tab, click Default Domain Controllers Policy, and then click Edit.</li> <li>Expand the folders:

Computer Configuration

Windows Settings

Security Settings

Local Policies

</li> <li>Click User Rights Assignment, and then double-click Bypass traverse checking. The following default settings should be present:

Authenticated Users

Everyone

Administrators

To add these groups if they are not present, click Add, and then click Browse.</li> <li>At a command prompt, type:

secedit /refreshpolicy machine_policy /enforce

</li> <li>Verify that the sysvol share permissions are set correctly, as follows:

Administrators = FC

Authenticated Users = FC

Everyone = Read

</li></ol>

NOTE: If this procedure does not resolve the issue, or you have problems accessing the Global Policy, check the Bindings on the server to make sure the internal network adapter is first in the binding order list. To check the binding order, follow these steps:
 * 1) Right-click My Network Places, and then clickProperties.
 * 2) Click the Advanced Menu, and then click Advanced Settings.
 * 3) Under Connections, make sure the internal network adapter is listed first. If it is not, use the arrows to move it to the top of the list.

<div class="moreinformation_section">

MORE INFORMATION
For additional information, click the article numbers below to view the articles in the Microsoft Knowledge Base:

271213 Event ID 1000 and 1001 Repeat Every 5 Minutes in the Event Log

259398 SceCli Event ID 1001 and UserEnv Event ID 1000 When Dfs Client Is Disabled

285923 Error Messages Every 5 Minutes Report Events 1000, 1001, and 13508, Citing Replication Trouble

258296 Unbinding File and Printer Sharing from Primary Network Adapter in Multihomed Domain Controller Causes Policy Problems on the Domain Controller

Additional query words: GPO 1000 1001 1058 1030 permissions sysvol

Keywords: kberrmsg kbprb KB290647

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.