How to interpret USERENV 1000 events (312164)


The information in this article applies to:

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional
  • Microsoft Windows XP Professional
This article was previously published under Q312164

SUMMARY

This article describes how to interpret USERENV 1000 events.

MORE INFORMATION

The following message is a typical event message you may find in the Event log when you are experiencing Group Policy application problems:
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1000
Date: date
Time: time
User: NT AUTHORITY\SYSTEM
Computer: computer name

Description: The Group Policy client-side extension Security was passed flags (17) and returned a failure status code of (1332).
The flags that are passed are a decimal representation of flags that are defined in the Userenv.h file (an excerpt of this file follows). Note that Windows 2000-based computers do not use codes that are greater than 0x100, while Windows XP-based computers use the entire range.

Excerpt of the Userenv.h File

#define GPO_INFO_FLAG_MACHINE 0x00000001 //
Apply machine policy rather than user policy
#define GPO_INFO_FLAG_BACKGROUND 0x00000010 //
Background refresh of policy (ok to do slow stuff)
#define GPO_INFO_FLAG_SLOWLINK 0x00000020 //
Policy is being applied across a slow link
#define GPO_INFO_FLAG_VERBOSE 0x00000040 //
Verbose output to the eventlog
#define GPO_INFO_FLAG_NOCHANGES 0x00000080 //
No changes were detected to the Group Policy Objects
#define GPO_INFO_FLAG_LINKTRANSITION 0x00000100 //
A change in link speed was detected between previous policy application and current policy application
#define GPO_INFO_FLAG_LOGRSOP_TRANSITION 0x00000200 //
A Change in Rsop Logging was detected between previous policy application and current policy application, (new intf only)
#define GPO_INFO_FLAG_FORCED_REFRESH 0x00000400 //
Forced Refresh is being applied. redo policies.
#define GPO_INFO_FLAG_SAFEMODE_BOOT 0x00000800 //
windows safe mode boot flag

If you convert the decimal representation of the flags value that is specified in the event message (17) to hexadecimal, you get 0x00000011. This tells you that both the GPO_INFO_FLAG_MACHINE and GPO_INFO_FLAG_BACKGROUND flags are set.

The failure status code in the event is a Win32 error code. You can translate the error message to a more readable message by using the net helpmsg command. For example, if you type net helpmsg 1332 at a command prompt and then press ENTER, you receive a "No mapping between account names and security IDs was done" message. This error is caused (in this case) by a policy that is assigning a user right to an SID for a deleted user.
Modification Type:MajorLast Reviewed:1/18/2005
Keywords:kbenv kberrmsg kbGRPPOLICYinfo kbinfo KB312164
©2004 Microsoft Corporation. All rights reserved.