Events 1101 and 1030 are logged in the Application log when you join a computer to a Windows 2000 Server-based Active Directory domain (909260)



The information in this article applies to:

  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Datacenter Edition
  • Microsoft Windows Server 2003, Web Edition
  • Microsoft Windows XP Professional
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Datacenter Server

SYMPTOMS

When you join a computer that is running Microsoft Windows XP Professional or Microsoft Windows Server 2003 to a Microsoft Windows 2000 Server-based Active Directory domain, the following Error event entries may appear in the Application log:Event ID: 1101
Category: None
Source: Userenv
Type: Error
Description: Windows cannot access the the object <OU name> in Active Directory. The access to the object may be denied. Group Policy processing aborted.Event ID: 1030
Category: None
Source: Userenv
Type: Error
Description: Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this.If you enable user environment debug logging, the following entries are logged:
ProcessGPOs:  User name is:  UserOrComputerDN, Domain name is:  DomainName
ProcessGPOs: Domain controller is:  \\DC FQDN Domain DN is DomainName
...
EvaluateDeferredOUs: Object OUName cannot be accessed
GetGPOInfo:  EvaluateDeferredOUs failed. Exiting
Note In these entries, OUName is the parent organizational unit (OU) of the user account or of a computer object.

CAUSE

This problem occurs because the Group Policy engine in Windows XP Professional and Windows Server 2003 does not have read permissions to the following attributes of the parent OUs:
  • gPLink
  • gPOptions
If the Group Policy engine does not have these permissions, the Group Policy engine cannot apply Group Policy settings.

In Microsoft Windows 2000 Server, the events that are described in the "Symptoms" section are not logged. However, the Group Policy engine in Windows 2000 Server also cannot apply Group Policy settings that are linked to the OU.

By default, access to all OUs is granted according to an access control entry in the default security descriptor. This security descriptor is part of the schema that enables the Authenticated Users group to read all the properties.

RESOLUTION

To resolve this problem, grant sufficient permissions to access the parent OUs to all the user accounts and to all the computers that apply Group Policy settings through the OUs.

MORE INFORMATION

For more information about how to enable user environment debug logging, click the following article number to view the article in the Microsoft Knowledge Base:

221833 How to enable user environment debug logging in retail builds of Windows


Modification Type:MajorLast Reviewed:10/17/2005
Keywords:kbEventLog kbprb kbtshoot KB909260 kbAudITPRO