USERENV error - Group Policy

I'm getting the following error on two of my domain member

servers (both win2k3sp1):

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1058
Date: 6.12.2006
Time: 9:01:57
User: NT AUTHORITY\SYSTEM
Computer: RIVER03
Description:
Windows cannot access the file gpt.ini for GPO

CN={33B07064-3C8C-4337-BD6A-3425D3FB0B18},CN=Policies,CN=System,DC=river,DC=local.
The file must be present at the location
<\\river.local\SysVol\river.local\Policies\{33B07064-3C8C-4337-BD6A-3425D3FB0B18}\gpt.ini>. (Access is denied. ). Group Policy processing aborted.

I've checked numerous settings as follows:

- that the folder is actually accessible, and the file actually exists
- registry settings on these client machines pertaining to SMB signing:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
enablesecuritysignature 1
requiresecuritysignature 0
- SMB signing group policy at
Computer Configuration/Windows Settings/Security Settings/Local
Policies/Security Options
- DNS settings
- Permissions on the SYSVOL share
- NetBIOS helper service


Everything appears to be in order, but I'm still getting the USERENV error
either every 1.5 hours or so, or when I force a GP update.

Please help!

I forgot to mention... this problem first appeared a few days back when the
machines in question had problems with the NetBIOS helper service. The
recommended fix for this was to remove Client for Microsoft Networks, and
re-install it. This had the obvious knock on effect of messing up the domain
security for the machines, so they were removed from the domain and re-added.

"Nadia" wrote:

> I'm getting the following error on two of my domain member
>
> servers (both win2k3sp1):
>
> Event Type: Error
> Event Source: Userenv
> Event Category: None
> Event ID: 1058
> Date: 6.12.2006
> Time: 9:01:57
> User: NT AUTHORITY\SYSTEM
> Computer: RIVER03
> Description:
> Windows cannot access the file gpt.ini for GPO
>
> CN={33B07064-3C8C-4337-BD6A-3425D3FB0B18},CN=Policies,CN=System,DC=river,DC=local.
> The file must be present at the location
> <\\river.local\SysVol\river.local\Policies\{33B07064-3C8C-4337-BD6A-3425D3FB0B18}\gpt.ini>. (Access is denied. ). Group Policy processing aborted.
>
> I've checked numerous settings as follows:
>
> - that the folder is actually accessible, and the file actually exists
> - registry settings on these client machines pertaining to SMB signing:
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
> enablesecuritysignature 1
> requiresecuritysignature 0
> - SMB signing group policy at
> Computer Configuration/Windows Settings/Security Settings/Local
> Policies/Security Options
> - DNS settings
> - Permissions on the SYSVOL share
> - NetBIOS helper service
>
>
> Everything appears to be in order, but I'm still getting the USERENV error
> either every 1.5 hours or so, or when I force a GP update.
>
> Please help!
>
>

Hello Nadia,

Have you tried basically with:
Netlogon and DFS services are started and
Domain controllers have the read and apply rights to the Domain Controllers
Policy.

Otherwise, whether the DC has two NICs, Have you check the Bindings(Opening
Network Connections and going to Advanced -> Advanced Setings) and execute
gpupdate /force command.


--
Good luck!!

David Martinez
MCSE, MCSA 2003, 2000



"Nadia" wrote:

> I'm getting the following error on two of my domain member
>
> servers (both win2k3sp1):
>
> Event Type: Error
> Event Source: Userenv
> Event Category: None
> Event ID: 1058
> Date: 6.12.2006
> Time: 9:01:57
> User: NT AUTHORITY\SYSTEM
> Computer: RIVER03
> Description:
> Windows cannot access the file gpt.ini for GPO
>
> CN={33B07064-3C8C-4337-BD6A-3425D3FB0B18},CN=Policies,CN=System,DC=river,DC=local.
> The file must be present at the location
> <\\river.local\SysVol\river.local\Policies\{33B07064-3C8C-4337-BD6A-3425D3FB0B18}\gpt.ini>. (Access is denied. ). Group Policy processing aborted.
>
> I've checked numerous settings as follows:
>
> - that the folder is actually accessible, and the file actually exists
> - registry settings on these client machines pertaining to SMB signing:
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
> enablesecuritysignature 1
> requiresecuritysignature 0
> - SMB signing group policy at
> Computer Configuration/Windows Settings/Security Settings/Local
> Policies/Security Options
> - DNS settings
> - Permissions on the SYSVOL share
> - NetBIOS helper service
>
>
> Everything appears to be in order, but I'm still getting the USERENV error
> either every 1.5 hours or so, or when I force a GP update.
>
> Please help!
>
>

Hi
If Domain Controller
*Make sure that the following components are started:
-Netlogon and DFS services are started.
-Domain controllers have the read and apply rights to the Domain Controllers
Policy.
-NTFS file system permissions and share permissions are set correctly on the
Sysvol share.
Event ID 1000, 1001 is logged every five minutes in the Application event
log
http://support.microsoft.com/Default.aspx?id=290647
-DNS entries are correct for the domain controllers
-From cmd, type dfsutil /PurgeMupCache, and then press ENTER.
Make sure that you’ve the latest Service Pack Installed.
http://support.microsoft.com/kb/889100/
Also take a look ate Registry Change (WaitForNetwork) as described here
Group Policy processing does not work and events 1030 and 1058 are logged in
the Application log of a domain controller
http://support.microsoft.com/kb/842804/en-us
Some situations a warning is also logged in Event Viewer:
Event ID: 3019
Source: MRxSmb
Description: The redirector failed to determine the connection type.
Error message: "The redirector failed to determine the connection type"
http://support.microsoft.com/kb/315244/en-us
-------------------------------------------------
If Clients Windows 2003,Xp,2000:
Applying Group Policy causes Userenv errors and events to occur on your
computers that are running Windows Server 2003, Windows XP, or Windows 2000
http://support.microsoft.com/kb/887303
Group policies are not applied the way you expect; "Event ID 1058" and
"Event ID 1030" errors in the application log
http://support.microsoft.com/kb/314494/en-us
-------------------------------------------------
SBSSmall Business Server 2003 computer
http://support.microsoft.com/kb/888943/en-us
--
*************************************************
I hope that the information above helps you
Good Luck

Jorge Silva

MCSA + Exchange + MSCE
*************************************************

"Nadia" <Nadia@discussions.microsoft.com> wrote in message
news:DE0EFD98-6D0F-47EF-8E90-3485D11ECC7D@microsoft.com...
> I'm getting the following error on two of my domain member
>
> servers (both win2k3sp1):
>
> Event Type: Error
> Event Source: Userenv
> Event Category: None
> Event ID: 1058
> Date: 6.12.2006
> Time: 9:01:57
> User: NT AUTHORITY\SYSTEM
> Computer: RIVER03
> Description:
> Windows cannot access the file gpt.ini for GPO
>
> CN={33B07064-3C8C-4337-BD6A-3425D3FB0B18},CN=Policies,CN=System,DC=river,DC=local.
> The file must be present at the location
> <\\river.local\SysVol\river.local\Policies\{33B07064-3C8C-4337-BD6A-3425D3FB0B18}\gpt.ini>.
> (Access is denied. ). Group Policy processing aborted.
>
> I've checked numerous settings as follows:
>
> - that the folder is actually accessible, and the file actually exists
> - registry settings on these client machines pertaining to SMB signing:
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
> enablesecuritysignature 1
> requiresecuritysignature 0
> - SMB signing group policy at
> Computer Configuration/Windows Settings/Security Settings/Local
> Policies/Security Options
> - DNS settings
> - Permissions on the SYSVOL share
> - NetBIOS helper service
>
>
> Everything appears to be in order, but I'm still getting the USERENV error
> either every 1.5 hours or so, or when I force a GP update.
>
> Please help!
>
>

Thankyou for your reply David,

Yes, checked those already... Netlogon and DFS services were started, Domain
controllers already have read/apply on the Default Domain Controller policy
and on other policies.

Interestingly, I've moved the affected server into a different container,
with no AD policies attached. I don't get the error. As soon as I add a
policy to this container and do a gpupdate, I get the error on the server.
None of my other servers are affected with this problem.



"David" wrote:

> Hello Nadia,
>
> Have you tried basically with:
> Netlogon and DFS services are started and
> Domain controllers have the read and apply rights to the Domain Controllers
> Policy.
>
> Otherwise, whether the DC has two NICs, Have you check the Bindings(Opening
> Network Connections and going to Advanced -> Advanced Setings) and execute
> gpupdate /force command.
>
>
> --
> Good luck!!
>
> David Martinez
> MCSE, MCSA 2003, 2000
>
>
>
> "Nadia" wrote:
>
> > I'm getting the following error on two of my domain member
> >
> > servers (both win2k3sp1):
> >
> > Event Type: Error
> > Event Source: Userenv
> > Event Category: None
> > Event ID: 1058
> > Date: 6.12.2006
> > Time: 9:01:57
> > User: NT AUTHORITY\SYSTEM
> > Computer: RIVER03
> > Description:
> > Windows cannot access the file gpt.ini for GPO
> >
> > CN={33B07064-3C8C-4337-BD6A-3425D3FB0B18},CN=Policies,CN=System,DC=river,DC=local.
> > The file must be present at the location
> > <\\river.local\SysVol\river.local\Policies\{33B07064-3C8C-4337-BD6A-3425D3FB0B18}\gpt.ini>. (Access is denied. ). Group Policy processing aborted.
> >
> > I've checked numerous settings as follows:
> >
> > - that the folder is actually accessible, and the file actually exists
> > - registry settings on these client machines pertaining to SMB signing:
> > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
> > enablesecuritysignature 1
> > requiresecuritysignature 0
> > - SMB signing group policy at
> > Computer Configuration/Windows Settings/Security Settings/Local
> > Policies/Security Options
> > - DNS settings
> > - Permissions on the SYSVOL share
> > - NetBIOS helper service
> >
> >
> > Everything appears to be in order, but I'm still getting the USERENV error
> > either every 1.5 hours or so, or when I force a GP update.
> >
> > Please help!
> >
> >

Thanks for your reply Jorge,
-Netlogon and DFS were already started
-Domain controllers have read/apply on DC policy (this policy includes the
correct bypass traverse settings)
-SYSVOL share/NTFS permissions are set correctly (inc. special permissions
and subfolders)
-EventID 1000/1001 is not logged in the App Log.
-DNS records for Domain Controllers is correct
-dfsutil /purgemupcache performed several times with no effect.
-latest SP & latest updates installed.
-I added the WaitForNetwork setting to the registry with no effect
-I've also examined the SMB signing settings, added the registry settings
with no effect.

I've also confirmed it isn't a problem with the policy itself, I've created
new policies all with the same result.

Anything else I should have looked at?


"Jorge Silva" wrote:

> Hi
> If Domain Controller
> *Make sure that the following components are started:
> -Netlogon and DFS services are started.
> -Domain controllers have the read and apply rights to the Domain Controllers
> Policy.
> -NTFS file system permissions and share permissions are set correctly on the
> Sysvol share.
> Event ID 1000, 1001 is logged every five minutes in the Application event
> log
> http://support.microsoft.com/Default.aspx?id=290647
> -DNS entries are correct for the domain controllers
> -From cmd, type dfsutil /PurgeMupCache, and then press ENTER.
> Make sure that you’ve the latest Service Pack Installed.
> http://support.microsoft.com/kb/889100/
> Also take a look ate Registry Change (WaitForNetwork) as described here
> Group Policy processing does not work and events 1030 and 1058 are logged in
> the Application log of a domain controller
> http://support.microsoft.com/kb/842804/en-us
> Some situations a warning is also logged in Event Viewer:
> Event ID: 3019
> Source: MRxSmb
> Description: The redirector failed to determine the connection type.
> Error message: "The redirector failed to determine the connection type"
> http://support.microsoft.com/kb/315244/en-us
> -------------------------------------------------
> If Clients Windows 2003,Xp,2000:
> Applying Group Policy causes Userenv errors and events to occur on your
> computers that are running Windows Server 2003, Windows XP, or Windows 2000
> http://support.microsoft.com/kb/887303
> Group policies are not applied the way you expect; "Event ID 1058" and
> "Event ID 1030" errors in the application log
> http://support.microsoft.com/kb/314494/en-us
> -------------------------------------------------
> SBSSmall Business Server 2003 computer
> http://support.microsoft.com/kb/888943/en-us
> --
> *************************************************
> I hope that the information above helps you
> Good Luck
>
> Jorge Silva
>
> MCSA + Exchange + MSCE
> *************************************************
>
> "Nadia" <Nadia@discussions.microsoft.com> wrote in message
> news:DE0EFD98-6D0F-47EF-8E90-3485D11ECC7D@microsoft.com...
> > I'm getting the following error on two of my domain member
> >
> > servers (both win2k3sp1):
> >
> > Event Type: Error
> > Event Source: Userenv
> > Event Category: None
> > Event ID: 1058
> > Date: 6.12.2006
> > Time: 9:01:57
> > User: NT AUTHORITY\SYSTEM
> > Computer: RIVER03
> > Description:
> > Windows cannot access the file gpt.ini for GPO
> >
> > CN={33B07064-3C8C-4337-BD6A-3425D3FB0B18},CN=Policies,CN=System,DC=river,DC=local.
> > The file must be present at the location
> > <\\river.local\SysVol\river.local\Policies\{33B07064-3C8C-4337-BD6A-3425D3FB0B18}\gpt.ini>.
> > (Access is denied. ). Group Policy processing aborted.
> >
> > I've checked numerous settings as follows:
> >
> > - that the folder is actually accessible, and the file actually exists
> > - registry settings on these client machines pertaining to SMB signing:
> > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
> > enablesecuritysignature 1
> > requiresecuritysignature 0
> > - SMB signing group policy at
> > Computer Configuration/Windows Settings/Security Settings/Local
> > Policies/Security Options
> > - DNS settings
> > - Permissions on the SYSVOL share
> > - NetBIOS helper service
> >
> >
> > Everything appears to be in order, but I'm still getting the USERENV error
> > either every 1.5 hours or so, or when I force a GP update.
> >
> > Please help!
> >
> >
>
>

Check DNS
-Make sure that each DNS server points to itself under NIC preferred DNS. If
the Server IP-Address is 192.168.0.1 then the preferred DNS should also be
192.168.0.1.
- Clients: Make sure that the clients only use their local available DNS
server(s) on their NIC DNS configuration. Do not place the ISP DNS server or
any other DNS on the client or DNS Server NIC properties, this is a common
mistake. The clients should use their local DNS server to resolve all
queries. It’s up to the local DNS server to handle the Internet resolution
as any other Zone that the DNS is not authoritative for.

also have a look at this one
http://support.microsoft.com/kb/839499
--
*************************************************
I hope that the information above helps you
Good Luck

Jorge Silva

MCSA + Exchange + MSCE
*************************************************

"Nadia" <Nadia@discussions.microsoft.com> wrote in message
news:B6B7B8BC-FE39-42E6-87FC-4F64E0C5D1A3@microsoft.com...
> Thanks for your reply Jorge,
> -Netlogon and DFS were already started
> -Domain controllers have read/apply on DC policy (this policy includes the
> correct bypass traverse settings)
> -SYSVOL share/NTFS permissions are set correctly (inc. special permissions
> and subfolders)
> -EventID 1000/1001 is not logged in the App Log.
> -DNS records for Domain Controllers is correct
> -dfsutil /purgemupcache performed several times with no effect.
> -latest SP & latest updates installed.
> -I added the WaitForNetwork setting to the registry with no effect
> -I've also examined the SMB signing settings, added the registry settings
> with no effect.
>
> I've also confirmed it isn't a problem with the policy itself, I've
> created
> new policies all with the same result.
>
> Anything else I should have looked at?
>
>
> "Jorge Silva" wrote:
>
>> Hi
>> If Domain Controller
>> *Make sure that the following components are started:
>> -Netlogon and DFS services are started.
>> -Domain controllers have the read and apply rights to the Domain
>> Controllers
>> Policy.
>> -NTFS file system permissions and share permissions are set correctly on
>> the
>> Sysvol share.
>> Event ID 1000, 1001 is logged every five minutes in the Application event
>> log
>> http://support.microsoft.com/Default.aspx?id=290647
>> -DNS entries are correct for the domain controllers
>> -From cmd, type dfsutil /PurgeMupCache, and then press ENTER.
>> Make sure that you’ve the latest Service Pack Installed.
>> http://support.microsoft.com/kb/889100/
>> Also take a look ate Registry Change (WaitForNetwork) as described here
>> Group Policy processing does not work and events 1030 and 1058 are logged
>> in
>> the Application log of a domain controller
>> http://support.microsoft.com/kb/842804/en-us
>> Some situations a warning is also logged in Event Viewer:
>> Event ID: 3019
>> Source: MRxSmb
>> Description: The redirector failed to determine the connection type.
>> Error message: "The redirector failed to determine the connection type"
>> http://support.microsoft.com/kb/315244/en-us
>> -------------------------------------------------
>> If Clients Windows 2003,Xp,2000:
>> Applying Group Policy causes Userenv errors and events to occur on your
>> computers that are running Windows Server 2003, Windows XP, or Windows
>> 2000
>> http://support.microsoft.com/kb/887303
>> Group policies are not applied the way you expect; "Event ID 1058" and
>> "Event ID 1030" errors in the application log
>> http://support.microsoft.com/kb/314494/en-us
>> -------------------------------------------------
>> SBSSmall Business Server 2003 computer
>> http://support.microsoft.com/kb/888943/en-us
>> --
>> *************************************************
>> I hope that the information above helps you
>> Good Luck
>>
>> Jorge Silva
>>
>> MCSA + Exchange + MSCE
>> *************************************************
>>
>> "Nadia" <Nadia@discussions.microsoft.com> wrote in message
>> news:DE0EFD98-6D0F-47EF-8E90-3485D11ECC7D@microsoft.com...
>> > I'm getting the following error on two of my domain member
>> >
>> > servers (both win2k3sp1):
>> >
>> > Event Type: Error
>> > Event Source: Userenv
>> > Event Category: None
>> > Event ID: 1058
>> > Date: 6.12.2006
>> > Time: 9:01:57
>> > User: NT AUTHORITY\SYSTEM
>> > Computer: RIVER03
>> > Description:
>> > Windows cannot access the file gpt.ini for GPO
>> >
>> > CN={33B07064-3C8C-4337-BD6A-3425D3FB0B18},CN=Policies,CN=System,DC=river,DC=local.
>> > The file must be present at the location
>> > <\\river.local\SysVol\river.local\Policies\{33B07064-3C8C-4337-BD6A-3425D3FB0B18}\gpt.ini>.
>> > (Access is denied. ). Group Policy processing aborted.
>> >
>> > I've checked numerous settings as follows:
>> >
>> > - that the folder is actually accessible, and the file actually exists
>> > - registry settings on these client machines pertaining to SMB signing:
>> > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
>> > enablesecuritysignature 1
>> > requiresecuritysignature 0
>> > - SMB signing group policy at
>> > Computer Configuration/Windows Settings/Security Settings/Local
>> > Policies/Security Options
>> > - DNS settings
>> > - Permissions on the SYSVOL share
>> > - NetBIOS helper service
>> >
>> >
>> > Everything appears to be in order, but I'm still getting the USERENV
>> > error
>> > either every 1.5 hours or so, or when I force a GP update.
>> >
>> > Please help!
>> >
>> >
>>
>>

Hi,

This can be anything starting from DNS configuration. I hope you have
already checked it. Try this on the command prompt of the affected
server

DFSUTIL /PURGEMUPCACHE

Then run gpupdate /force to see if you get a 1704

~Cheers,

Ajay Sarkaria

Nadia wrote:
> Thanks for your reply Jorge,
> -Netlogon and DFS were already started
> -Domain controllers have read/apply on DC policy (this policy includes the
> correct bypass traverse settings)
> -SYSVOL share/NTFS permissions are set correctly (inc. special permissions
> and subfolders)
> -EventID 1000/1001 is not logged in the App Log.
> -DNS records for Domain Controllers is correct
> -dfsutil /purgemupcache performed several times with no effect.
> -latest SP & latest updates installed.
> -I added the WaitForNetwork setting to the registry with no effect
> -I've also examined the SMB signing settings, added the registry settings
> with no effect.
>
> I've also confirmed it isn't a problem with the policy itself, I've created
> new policies all with the same result.
>
> Anything else I should have looked at?
>
>
> "Jorge Silva" wrote:
>
> > Hi
> > If Domain Controller
> > *Make sure that the following components are started:
> > -Netlogon and DFS services are started.
> > -Domain controllers have the read and apply rights to the Domain Controllers
> > Policy.
> > -NTFS file system permissions and share permissions are set correctly on the
> > Sysvol share.
> > Event ID 1000, 1001 is logged every five minutes in the Application event
> > log
> > http://support.microsoft.com/Default.aspx?id=290647
> > -DNS entries are correct for the domain controllers
> > -From cmd, type dfsutil /PurgeMupCache, and then press ENTER.
> > Make sure that you've the latest Service Pack Installed.
> > http://support.microsoft.com/kb/889100/
> > Also take a look ate Registry Change (WaitForNetwork) as described here
> > Group Policy processing does not work and events 1030 and 1058 are logged in
> > the Application log of a domain controller
> > http://support.microsoft.com/kb/842804/en-us
> > Some situations a warning is also logged in Event Viewer:
> > Event ID: 3019
> > Source: MRxSmb
> > Description: The redirector failed to determine the connection type.
> > Error message: "The redirector failed to determine the connection type"
> > http://support.microsoft.com/kb/315244/en-us
> > -------------------------------------------------
> > If Clients Windows 2003,Xp,2000:
> > Applying Group Policy causes Userenv errors and events to occur on your
> > computers that are running Windows Server 2003, Windows XP, or Windows 2000
> > http://support.microsoft.com/kb/887303
> > Group policies are not applied the way you expect; "Event ID 1058" and
> > "Event ID 1030" errors in the application log
> > http://support.microsoft.com/kb/314494/en-us
> > -------------------------------------------------
> > SBSSmall Business Server 2003 computer
> > http://support.microsoft.com/kb/888943/en-us
> > --
> > *************************************************
> > I hope that the information above helps you
> > Good Luck
> >
> > Jorge Silva
> >
> > MCSA + Exchange + MSCE
> > *************************************************
> >
> > "Nadia" <Nadia@discussions.microsoft.com> wrote in message
> > news:DE0EFD98-6D0F-47EF-8E90-3485D11ECC7D@microsoft.com...
> > > I'm getting the following error on two of my domain member
> > >
> > > servers (both win2k3sp1):
> > >
> > > Event Type: Error
> > > Event Source: Userenv
> > > Event Category: None
> > > Event ID: 1058
> > > Date: 6.12.2006
> > > Time: 9:01:57
> > > User: NT AUTHORITY\SYSTEM
> > > Computer: RIVER03
> > > Description:
> > > Windows cannot access the file gpt.ini for GPO
> > >
> > > CN={33B07064-3C8C-4337-BD6A-3425D3FB0B18},CN=Policies,CN=System,DC=river,DC=local.
> > > The file must be present at the location
> > > <\\river.local\SysVol\river.local\Policies\{33B07064-3C8C-4337-BD6A-3425D3FB0B18}\gpt.ini>.
> > > (Access is denied. ). Group Policy processing aborted.
> > >
> > > I've checked numerous settings as follows:
> > >
> > > - that the folder is actually accessible, and the file actually exists
> > > - registry settings on these client machines pertaining to SMB signing:
> > > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
> > > enablesecuritysignature 1
> > > requiresecuritysignature 0
> > > - SMB signing group policy at
> > > Computer Configuration/Windows Settings/Security Settings/Local
> > > Policies/Security Options
> > > - DNS settings
> > > - Permissions on the SYSVOL share
> > > - NetBIOS helper service
> > >
> > >
> > > Everything appears to be in order, but I'm still getting the USERENV error
> > > either every 1.5 hours or so, or when I force a GP update.
> > >
> > > Please help!
> > >
> > >
> >
> >

oops, i think you have already tried that.. Could u run a netdiag /v &
pasteit here ?

~Cheers,

Ajay Sarkaria

AJ wrote:
> Hi,
>
> This can be anything starting from DNS configuration. I hope you have
> already checked it. Try this on the command prompt of the affected
> server
>
> DFSUTIL /PURGEMUPCACHE
>
> Then run gpupdate /force to see if you get a 1704
>
> ~Cheers,
>
> Ajay Sarkaria
>
> Nadia wrote:
> > Thanks for your reply Jorge,
> > -Netlogon and DFS were already started
> > -Domain controllers have read/apply on DC policy (this policy includes the
> > correct bypass traverse settings)
> > -SYSVOL share/NTFS permissions are set correctly (inc. special permissions
> > and subfolders)
> > -EventID 1000/1001 is not logged in the App Log.
> > -DNS records for Domain Controllers is correct
> > -dfsutil /purgemupcache performed several times with no effect.
> > -latest SP & latest updates installed.
> > -I added the WaitForNetwork setting to the registry with no effect
> > -I've also examined the SMB signing settings, added the registry settings
> > with no effect.
> >
> > I've also confirmed it isn't a problem with the policy itself, I've created
> > new policies all with the same result.
> >
> > Anything else I should have looked at?
> >
> >
> > "Jorge Silva" wrote:
> >
> > > Hi
> > > If Domain Controller
> > > *Make sure that the following components are started:
> > > -Netlogon and DFS services are started.
> > > -Domain controllers have the read and apply rights to the Domain Controllers
> > > Policy.
> > > -NTFS file system permissions and share permissions are set correctly on the
> > > Sysvol share.
> > > Event ID 1000, 1001 is logged every five minutes in the Application event
> > > log
> > > http://support.microsoft.com/Default.aspx?id=290647
> > > -DNS entries are correct for the domain controllers
> > > -From cmd, type dfsutil /PurgeMupCache, and then press ENTER.
> > > Make sure that you've the latest Service Pack Installed.
> > > http://support.microsoft.com/kb/889100/
> > > Also take a look ate Registry Change (WaitForNetwork) as described here
> > > Group Policy processing does not work and events 1030 and 1058 are logged in
> > > the Application log of a domain controller
> > > http://support.microsoft.com/kb/842804/en-us
> > > Some situations a warning is also logged in Event Viewer:
> > > Event ID: 3019
> > > Source: MRxSmb
> > > Description: The redirector failed to determine the connection type.
> > > Error message: "The redirector failed to determine the connection type"
> > > http://support.microsoft.com/kb/315244/en-us
> > > -------------------------------------------------
> > > If Clients Windows 2003,Xp,2000:
> > > Applying Group Policy causes Userenv errors and events to occur on your
> > > computers that are running Windows Server 2003, Windows XP, or Windows 2000
> > > http://support.microsoft.com/kb/887303
> > > Group policies are not applied the way you expect; "Event ID 1058" and
> > > "Event ID 1030" errors in the application log
> > > http://support.microsoft.com/kb/314494/en-us
> > > -------------------------------------------------
> > > SBSSmall Business Server 2003 computer
> > > http://support.microsoft.com/kb/888943/en-us
> > > --
> > > *************************************************
> > > I hope that the information above helps you
> > > Good Luck
> > >
> > > Jorge Silva
> > >
> > > MCSA + Exchange + MSCE
> > > *************************************************
> > >
> > > "Nadia" <Nadia@discussions.microsoft.com> wrote in message
> > > news:DE0EFD98-6D0F-47EF-8E90-3485D11ECC7D@microsoft.com...
> > > > I'm getting the following error on two of my domain member
> > > >
> > > > servers (both win2k3sp1):
> > > >
> > > > Event Type: Error
> > > > Event Source: Userenv
> > > > Event Category: None
> > > > Event ID: 1058
> > > > Date: 6.12.2006
> > > > Time: 9:01:57
> > > > User: NT AUTHORITY\SYSTEM
> > > > Computer: RIVER03
> > > > Description:
> > > > Windows cannot access the file gpt.ini for GPO
> > > >
> > > > CN={33B07064-3C8C-4337-BD6A-3425D3FB0B18},CN=Policies,CN=System,DC=river,DC=local.
> > > > The file must be present at the location
> > > > <\\river.local\SysVol\river.local\Policies\{33B07064-3C8C-4337-BD6A-3425D3FB0B18}\gpt.ini>.
> > > > (Access is denied. ). Group Policy processing aborted.
> > > >
> > > > I've checked numerous settings as follows:
> > > >
> > > > - that the folder is actually accessible, and the file actually exists
> > > > - registry settings on these client machines pertaining to SMB signing:
> > > > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
> > > > enablesecuritysignature 1
> > > > requiresecuritysignature 0
> > > > - SMB signing group policy at
> > > > Computer Configuration/Windows Settings/Security Settings/Local
> > > > Policies/Security Options
> > > > - DNS settings
> > > > - Permissions on the SYSVOL share
> > > > - NetBIOS helper service
> > > >
> > > >
> > > > Everything appears to be in order, but I'm still getting the USERENV error
> > > > either every 1.5 hours or so, or when I force a GP update.
> > > >
> > > > Please help!
> > > >
> > > >
> > >
> > >

Thx AJ,

Certainly... it's 90k chars though, so instead of posting it here in 4
pieces, you can view it at http://www.netcom.hr/chris/netdiag.txt

Nadia


"AJ" wrote:

> oops, i think you have already tried that.. Could u run a netdiag /v &
> pasteit here ?
>
> ~Cheers,
>
> Ajay Sarkaria
>
> AJ wrote:
> > Hi,
> >
> > This can be anything starting from DNS configuration. I hope you have
> > already checked it. Try this on the command prompt of the affected
> > server
> >
> > DFSUTIL /PURGEMUPCACHE
> >
> > Then run gpupdate /force to see if you get a 1704
> >
> > ~Cheers,
> >
> > Ajay Sarkaria
> >
> > Nadia wrote:
> > > Thanks for your reply Jorge,
> > > -Netlogon and DFS were already started
> > > -Domain controllers have read/apply on DC policy (this policy includes the
> > > correct bypass traverse settings)
> > > -SYSVOL share/NTFS permissions are set correctly (inc. special permissions
> > > and subfolders)
> > > -EventID 1000/1001 is not logged in the App Log.
> > > -DNS records for Domain Controllers is correct
> > > -dfsutil /purgemupcache performed several times with no effect.
> > > -latest SP & latest updates installed.
> > > -I added the WaitForNetwork setting to the registry with no effect
> > > -I've also examined the SMB signing settings, added the registry settings
> > > with no effect.
> > >
> > > I've also confirmed it isn't a problem with the policy itself, I've created
> > > new policies all with the same result.
> > >
> > > Anything else I should have looked at?
> > >
> > >
> > > "Jorge Silva" wrote:
> > >
> > > > Hi
> > > > If Domain Controller
> > > > *Make sure that the following components are started:
> > > > -Netlogon and DFS services are started.
> > > > -Domain controllers have the read and apply rights to the Domain Controllers
> > > > Policy.
> > > > -NTFS file system permissions and share permissions are set correctly on the
> > > > Sysvol share.
> > > > Event ID 1000, 1001 is logged every five minutes in the Application event
> > > > log
> > > > http://support.microsoft.com/Default.aspx?id=290647
> > > > -DNS entries are correct for the domain controllers
> > > > -From cmd, type dfsutil /PurgeMupCache, and then press ENTER.
> > > > Make sure that you've the latest Service Pack Installed.
> > > > http://support.microsoft.com/kb/889100/
> > > > Also take a look ate Registry Change (WaitForNetwork) as described here
> > > > Group Policy processing does not work and events 1030 and 1058 are logged in
> > > > the Application log of a domain controller
> > > > http://support.microsoft.com/kb/842804/en-us
> > > > Some situations a warning is also logged in Event Viewer:
> > > > Event ID: 3019
> > > > Source: MRxSmb
> > > > Description: The redirector failed to determine the connection type.
> > > > Error message: "The redirector failed to determine the connection type"
> > > > http://support.microsoft.com/kb/315244/en-us
> > > > -------------------------------------------------
> > > > If Clients Windows 2003,Xp,2000:
> > > > Applying Group Policy causes Userenv errors and events to occur on your
> > > > computers that are running Windows Server 2003, Windows XP, or Windows 2000
> > > > http://support.microsoft.com/kb/887303
> > > > Group policies are not applied the way you expect; "Event ID 1058" and
> > > > "Event ID 1030" errors in the application log
> > > > http://support.microsoft.com/kb/314494/en-us
> > > > -------------------------------------------------
> > > > SBSSmall Business Server 2003 computer
> > > > http://support.microsoft.com/kb/888943/en-us
> > > > --
> > > > *************************************************
> > > > I hope that the information above helps you
> > > > Good Luck
> > > >
> > > > Jorge Silva
> > > >
> > > > MCSA + Exchange + MSCE
> > > > *************************************************
> > > >
> > > > "Nadia" <Nadia@discussions.microsoft.com> wrote in message
> > > > news:DE0EFD98-6D0F-47EF-8E90-3485D11ECC7D@microsoft.com...
> > > > > I'm getting the following error on two of my domain member
> > > > >
> > > > > servers (both win2k3sp1):
> > > > >
> > > > > Event Type: Error
> > > > > Event Source: Userenv
> > > > > Event Category: None
> > > > > Event ID: 1058
> > > > > Date: 6.12.2006
> > > > > Time: 9:01:57
> > > > > User: NT AUTHORITY\SYSTEM
> > > > > Computer: RIVER03
> > > > > Description:
> > > > > Windows cannot access the file gpt.ini for GPO
> > > > >
> > > > > CN={33B07064-3C8C-4337-BD6A-3425D3FB0B18},CN=Policies,CN=System,DC=river,DC=local.
> > > > > The file must be present at the location
> > > > > <\\river.local\SysVol\river.local\Policies\{33B07064-3C8C-4337-BD6A-3425D3FB0B18}\gpt.ini>.
> > > > > (Access is denied. ). Group Policy processing aborted.
> > > > >
> > > > > I've checked numerous settings as follows:
> > > > >
> > > > > - that the folder is actually accessible, and the file actually exists
> > > > > - registry settings on these client machines pertaining to SMB signing:
> > > > > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
> > > > > enablesecuritysignature 1
> > > > > requiresecuritysignature 0
> > > > > - SMB signing group policy at
> > > > > Computer Configuration/Windows Settings/Security Settings/Local
> > > > > Policies/Security Options
> > > > > - DNS settings
> > > > > - Permissions on the SYSVOL share
> > > > > - NetBIOS helper service
> > > > >
> > > > >
> > > > > Everything appears to be in order, but I'm still getting the USERENV error
> > > > > either every 1.5 hours or so, or when I force a GP update.
> > > > >
> > > > > Please help!
> > > > >
> > > > >
> > > >
> > > >
>
>

SORTED!

In a further attempt to narrow down the location of the problem, I gave
Everyone/Full Control to the SYSVOL\domain\policies\{guid} folder and to the
policy object in AD (followed by a GP /force on both machines).

Of course this worked, so then I removed the Everyone/Full Control from the
folder and GPO, returning the security to normal settings, did another GP
/force on both machines and it still works. Certificate auto enrollment seems
to have kicked off on the offending machine too.

I hope this stays fixed! If anyone has an explanation of this, I'd be
interested, otherwise thanks for the help.

Nadia :)

"Nadia" wrote:

> Thx AJ,
>
> Certainly... it's 90k chars though, so instead of posting it here in 4
> pieces, you can view it at http://www.netcom.hr/chris/netdiag.txt
>
> Nadia
>
>
> "AJ" wrote:
>
> > oops, i think you have already tried that.. Could u run a netdiag /v &
> > pasteit here ?
> >
> > ~Cheers,
> >
> > Ajay Sarkaria
> >
> > AJ wrote:
> > > Hi,
> > >
> > > This can be anything starting from DNS configuration. I hope you have
> > > already checked it. Try this on the command prompt of the affected
> > > server
> > >
> > > DFSUTIL /PURGEMUPCACHE
> > >
> > > Then run gpupdate /force to see if you get a 1704
> > >
> > > ~Cheers,
> > >
> > > Ajay Sarkaria
> > >
> > > Nadia wrote:
> > > > Thanks for your reply Jorge,
> > > > -Netlogon and DFS were already started
> > > > -Domain controllers have read/apply on DC policy (this policy includes the
> > > > correct bypass traverse settings)
> > > > -SYSVOL share/NTFS permissions are set correctly (inc. special permissions
> > > > and subfolders)
> > > > -EventID 1000/1001 is not logged in the App Log.
> > > > -DNS records for Domain Controllers is correct
> > > > -dfsutil /purgemupcache performed several times with no effect.
> > > > -latest SP & latest updates installed.
> > > > -I added the WaitForNetwork setting to the registry with no effect
> > > > -I've also examined the SMB signing settings, added the registry settings
> > > > with no effect.
> > > >
> > > > I've also confirmed it isn't a problem with the policy itself, I've created
> > > > new policies all with the same result.
> > > >
> > > > Anything else I should have looked at?
> > > >
> > > >
> > > > "Jorge Silva" wrote:
> > > >
> > > > > Hi
> > > > > If Domain Controller
> > > > > *Make sure that the following components are started:
> > > > > -Netlogon and DFS services are started.
> > > > > -Domain controllers have the read and apply rights to the Domain Controllers
> > > > > Policy.
> > > > > -NTFS file system permissions and share permissions are set correctly on the
> > > > > Sysvol share.
> > > > > Event ID 1000, 1001 is logged every five minutes in the Application event
> > > > > log
> > > > > http://support.microsoft.com/Default.aspx?id=290647
> > > > > -DNS entries are correct for the domain controllers
> > > > > -From cmd, type dfsutil /PurgeMupCache, and then press ENTER.
> > > > > Make sure that you've the latest Service Pack Installed.
> > > > > http://support.microsoft.com/kb/889100/
> > > > > Also take a look ate Registry Change (WaitForNetwork) as described here
> > > > > Group Policy processing does not work and events 1030 and 1058 are logged in
> > > > > the Application log of a domain controller
> > > > > http://support.microsoft.com/kb/842804/en-us
> > > > > Some situations a warning is also logged in Event Viewer:
> > > > > Event ID: 3019
> > > > > Source: MRxSmb
> > > > > Description: The redirector failed to determine the connection type.
> > > > > Error message: "The redirector failed to determine the connection type"
> > > > > http://support.microsoft.com/kb/315244/en-us
> > > > > -------------------------------------------------
> > > > > If Clients Windows 2003,Xp,2000:
> > > > > Applying Group Policy causes Userenv errors and events to occur on your
> > > > > computers that are running Windows Server 2003, Windows XP, or Windows 2000
> > > > > http://support.microsoft.com/kb/887303
> > > > > Group policies are not applied the way you expect; "Event ID 1058" and
> > > > > "Event ID 1030" errors in the application log
> > > > > http://support.microsoft.com/kb/314494/en-us
> > > > > -------------------------------------------------
> > > > > SBSSmall Business Server 2003 computer
> > > > > http://support.microsoft.com/kb/888943/en-us
> > > > > --
> > > > > *************************************************
> > > > > I hope that the information above helps you
> > > > > Good Luck
> > > > >
> > > > > Jorge Silva
> > > > >
> > > > > MCSA + Exchange + MSCE
> > > > > *************************************************
> > > > >
> > > > > "Nadia" <Nadia@discussions.microsoft.com> wrote in message
> > > > > news:DE0EFD98-6D0F-47EF-8E90-3485D11ECC7D@microsoft.com...
> > > > > > I'm getting the following error on two of my domain member
> > > > > >
> > > > > > servers (both win2k3sp1):
> > > > > >
> > > > > > Event Type: Error
> > > > > > Event Source: Userenv
> > > > > > Event Category: None
> > > > > > Event ID: 1058
> > > > > > Date: 6.12.2006
> > > > > > Time: 9:01:57
> > > > > > User: NT AUTHORITY\SYSTEM
> > > > > > Computer: RIVER03
> > > > > > Description:
> > > > > > Windows cannot access the file gpt.ini for GPO
> > > > > >
> > > > > > CN={33B07064-3C8C-4337-BD6A-3425D3FB0B18},CN=Policies,CN=System,DC=river,DC=local.
> > > > > > The file must be present at the location
> > > > > > <\\river.local\SysVol\river.local\Policies\{33B07064-3C8C-4337-BD6A-3425D3FB0B18}\gpt.ini>.
> > > > > > (Access is denied. ). Group Policy processing aborted.
> > > > > >
> > > > > > I've checked numerous settings as follows:
> > > > > >
> > > > > > - that the folder is actually accessible, and the file actually exists
> > > > > > - registry settings on these client machines pertaining to SMB signing:
> > > > > > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
> > > > > > enablesecuritysignature 1
> > > > > > requiresecuritysignature 0
> > > > > > - SMB signing group policy at
> > > > > > Computer Configuration/Windows Settings/Security Settings/Local
> > > > > > Policies/Security Options
> > > > > > - DNS settings
> > > > > > - Permissions on the SYSVOL share
> > > > > > - NetBIOS helper service
> > > > > >
> > > > > >
> > > > > > Everything appears to be in order, but I'm still getting the USERENV error
> > > > > > either every 1.5 hours or so, or when I force a GP update.
> > > > > >
> > > > > > Please help!
> > > > > >
> > > > > >
> > > > >
> > > > >
> >
> >

Err... No it isn't.

The problem has returned. Although I'm now sure that the problem lies in the
permissions of either the GPO or the SYSVOL\domain\policies\{guid} folder. Or
both.

However, as per instructions, I've set these permissions correctly. I can't
leave this as everyone/full control, so what to do?



"Nadia" wrote:

> SORTED!
>
> In a further attempt to narrow down the location of the problem, I gave
> Everyone/Full Control to the SYSVOL\domain\policies\{guid} folder and to the
> policy object in AD (followed by a GP /force on both machines).
>
> Of course this worked, so then I removed the Everyone/Full Control from the
> folder and GPO, returning the security to normal settings, did another GP
> /force on both machines and it still works. Certificate auto enrollment seems
> to have kicked off on the offending machine too.
>
> I hope this stays fixed! If anyone has an explanation of this, I'd be
> interested, otherwise thanks for the help.
>
> Nadia :)
>
> "Nadia" wrote:
>
> > Thx AJ,
> >
> > Certainly... it's 90k chars though, so instead of posting it here in 4
> > pieces, you can view it at http://www.netcom.hr/chris/netdiag.txt
> >
> > Nadia
> >
> >
> > "AJ" wrote:
> >
> > > oops, i think you have already tried that.. Could u run a netdiag /v &
> > > pasteit here ?
> > >
> > > ~Cheers,
> > >
> > > Ajay Sarkaria
> > >
> > > AJ wrote:
> > > > Hi,
> > > >
> > > > This can be anything starting from DNS configuration. I hope you have
> > > > already checked it. Try this on the command prompt of the affected
> > > > server
> > > >
> > > > DFSUTIL /PURGEMUPCACHE
> > > >
> > > > Then run gpupdate /force to see if you get a 1704
> > > >
> > > > ~Cheers,
> > > >
> > > > Ajay Sarkaria
> > > >
> > > > Nadia wrote:
> > > > > Thanks for your reply Jorge,
> > > > > -Netlogon and DFS were already started
> > > > > -Domain controllers have read/apply on DC policy (this policy includes the
> > > > > correct bypass traverse settings)
> > > > > -SYSVOL share/NTFS permissions are set correctly (inc. special permissions
> > > > > and subfolders)
> > > > > -EventID 1000/1001 is not logged in the App Log.
> > > > > -DNS records for Domain Controllers is correct
> > > > > -dfsutil /purgemupcache performed several times with no effect.
> > > > > -latest SP & latest updates installed.
> > > > > -I added the WaitForNetwork setting to the registry with no effect
> > > > > -I've also examined the SMB signing settings, added the registry settings
> > > > > with no effect.
> > > > >
> > > > > I've also confirmed it isn't a problem with the policy itself, I've created
> > > > > new policies all with the same result.
> > > > >
> > > > > Anything else I should have looked at?
> > > > >
> > > > >
> > > > > "Jorge Silva" wrote:
> > > > >
> > > > > > Hi
> > > > > > If Domain Controller
> > > > > > *Make sure that the following components are started:
> > > > > > -Netlogon and DFS services are started.
> > > > > > -Domain controllers have the read and apply rights to the Domain Controllers
> > > > > > Policy.
> > > > > > -NTFS file system permissions and share permissions are set correctly on the
> > > > > > Sysvol share.
> > > > > > Event ID 1000, 1001 is logged every five minutes in the Application event
> > > > > > log
> > > > > > http://support.microsoft.com/Default.aspx?id=290647
> > > > > > -DNS entries are correct for the domain controllers
> > > > > > -From cmd, type dfsutil /PurgeMupCache, and then press ENTER.
> > > > > > Make sure that you've the latest Service Pack Installed.
> > > > > > http://support.microsoft.com/kb/889100/
> > > > > > Also take a look ate Registry Change (WaitForNetwork) as described here
> > > > > > Group Policy processing does not work and events 1030 and 1058 are logged in
> > > > > > the Application log of a domain controller
> > > > > > http://support.microsoft.com/kb/842804/en-us
> > > > > > Some situations a warning is also logged in Event Viewer:
> > > > > > Event ID: 3019
> > > > > > Source: MRxSmb
> > > > > > Description: The redirector failed to determine the connection type.
> > > > > > Error message: "The redirector failed to determine the connection type"
> > > > > > http://support.microsoft.com/kb/315244/en-us
> > > > > > -------------------------------------------------
> > > > > > If Clients Windows 2003,Xp,2000:
> > > > > > Applying Group Policy causes Userenv errors and events to occur on your
> > > > > > computers that are running Windows Server 2003, Windows XP, or Windows 2000
> > > > > > http://support.microsoft.com/kb/887303
> > > > > > Group policies are not applied the way you expect; "Event ID 1058" and
> > > > > > "Event ID 1030" errors in the application log
> > > > > > http://support.microsoft.com/kb/314494/en-us
> > > > > > -------------------------------------------------
> > > > > > SBSSmall Business Server 2003 computer
> > > > > > http://support.microsoft.com/kb/888943/en-us
> > > > > > --
> > > > > > *************************************************
> > > > > > I hope that the information above helps you
> > > > > > Good Luck
> > > > > >
> > > > > > Jorge Silva
> > > > > >
> > > > > > MCSA + Exchange + MSCE
> > > > > > *************************************************
> > > > > >
> > > > > > "Nadia" <Nadia@discussions.microsoft.com> wrote in message
> > > > > > news:DE0EFD98-6D0F-47EF-8E90-3485D11ECC7D@microsoft.com...
> > > > > > > I'm getting the following error on two of my domain member
> > > > > > >
> > > > > > > servers (both win2k3sp1):
> > > > > > >
> > > > > > > Event Type: Error
> > > > > > > Event Source: Userenv
> > > > > > > Event Category: None
> > > > > > > Event ID: 1058
> > > > > > > Date: 6.12.2006
> > > > > > > Time: 9:01:57
> > > > > > > User: NT AUTHORITY\SYSTEM
> > > > > > > Computer: RIVER03
> > > > > > > Description:
> > > > > > > Windows cannot access the file gpt.ini for GPO
> > > > > > >
> > > > > > > CN={33B07064-3C8C-4337-BD6A-3425D3FB0B18},CN=Policies,CN=System,DC=river,DC=local.
> > > > > > > The file must be present at the location
> > > > > > > <\\river.local\SysVol\river.local\Policies\{33B07064-3C8C-4337-BD6A-3425D3FB0B18}\gpt.ini>.
> > > > > > > (Access is denied. ). Group Policy processing aborted.
> > > > > > >
> > > > > > > I've checked numerous settings as follows:
> > > > > > >
> > > > > > > - that the folder is actually accessible, and the file actually exists
> > > > > > > - registry settings on these client machines pertaining to SMB signing:
> > > > > > > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
> > > > > > > enablesecuritysignature 1
> > > > > > > requiresecuritysignature 0
> > > > > > > - SMB signing group policy at
> > > > > > > Computer Configuration/Windows Settings/Security Settings/Local
> > > > > > > Policies/Security Options
> > > > > > > - DNS settings
> > > > > > > - Permissions on the SYSVOL share
> > > > > > > - NetBIOS helper service
> > > > > > >
> > > > > > >
> > > > > > > Everything appears to be in order, but I'm still getting the USERENV error
> > > > > > > either every 1.5 hours or so, or when I force a GP update.
> > > > > > >
> > > > > > > Please help!
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > >
> > >

Ok, finally got it.

The offending server is a multihomed machine, and although the preferred DNS
server entries were set on 3 of the NIC's, one was set incorrectly (I must
have missed that first time round). They've now all been set correctly to
local DNS servers, and everything works fine with the correct permissions.

I'm assuming this requirement for local DNS servers rather than external
(internet) DNS servers is so that required services (for example Kerberos)
can find their way round active directory and dfs shares?

Thanks for all the help, I've kept the progress updated in this post as I
hope it will save someone else a headache looking for the answer! :)



"Nadia" wrote:

> I'm getting the following error on two of my domain member
>
> servers (both win2k3sp1):
>
> Event Type: Error
> Event Source: Userenv
> Event Category: None
> Event ID: 1058
> Date: 6.12.2006
> Time: 9:01:57
> User: NT AUTHORITY\SYSTEM
> Computer: RIVER03
> Description:
> Windows cannot access the file gpt.ini for GPO
>
> CN={33B07064-3C8C-4337-BD6A-3425D3FB0B18},CN=Policies,CN=System,DC=river,DC=local.
> The file must be present at the location
> <\\river.local\SysVol\river.local\Policies\{33B07064-3C8C-4337-BD6A-3425D3FB0B18}\gpt.ini>. (Access is denied. ). Group Policy processing aborted.
>
> I've checked numerous settings as follows:
>
> - that the folder is actually accessible, and the file actually exists
> - registry settings on these client machines pertaining to SMB signing:
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
> enablesecuritysignature 1
> requiresecuritysignature 0
> - SMB signing group policy at
> Computer Configuration/Windows Settings/Security Settings/Local
> Policies/Security Options
> - DNS settings
> - Permissions on the SYSVOL share
> - NetBIOS helper service
>
>
> Everything appears to be in order, but I'm still getting the USERENV error
> either every 1.5 hours or so, or when I force a GP update.
>
> Please help!
>
>

Right.. U should have forwarders for your ISP & the Server should
always point to local DNS. Hope your problem does not come back as
Netdiag is bad ;-) .. If it comes back, then we would need a new
netdiag output..

~Cheers,

Ajay Sarkaria

Nadia wrote:
> Ok, finally got it.
>
> The offending server is a multihomed machine, and although the preferred DNS
> server entries were set on 3 of the NIC's, one was set incorrectly (I must
> have missed that first time round). They've now all been set correctly to
> local DNS servers, and everything works fine with the correct permissions.
>
> I'm assuming this requirement for local DNS servers rather than external
> (internet) DNS servers is so that required services (for example Kerberos)
> can find their way round active directory and dfs shares?
>
> Thanks for all the help, I've kept the progress updated in this post as I
> hope it will save someone else a headache looking for the answer! :)
>
>
>
> "Nadia" wrote:
>
> > I'm getting the following error on two of my domain member
> >
> > servers (both win2k3sp1):
> >
> > Event Type: Error
> > Event Source: Userenv
> > Event Category: None
> > Event ID: 1058
> > Date: 6.12.2006
> > Time: 9:01:57
> > User: NT AUTHORITY\SYSTEM
> > Computer: RIVER03
> > Description:
> > Windows cannot access the file gpt.ini for GPO
> >
> > CN={33B07064-3C8C-4337-BD6A-3425D3FB0B18},CN=Policies,CN=System,DC=river,DC=local.
> > The file must be present at the location
> > <\\river.local\SysVol\river.local\Policies\{33B07064-3C8C-4337-BD6A-3425D3FB0B18}\gpt.ini>. (Access is denied. ). Group Policy processing aborted.
> >
> > I've checked numerous settings as follows:
> >
> > - that the folder is actually accessible, and the file actually exists
> > - registry settings on these client machines pertaining to SMB signing:
> > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
> > enablesecuritysignature 1
> > requiresecuritysignature 0
> > - SMB signing group policy at
> > Computer Configuration/Windows Settings/Security Settings/Local
> > Policies/Security Options
> > - DNS settings
> > - Permissions on the SYSVOL share
> > - NetBIOS helper service
> >
> >
> > Everything appears to be in order, but I'm still getting the USERENV error
> > either every 1.5 hours or so, or when I force a GP update.
> >
> > Please help!
> >
> >

I had a similar problem that turned out to be caused by missing PTR records
in DNS. The domain controller was in a secondary site that didn't have
reverse lookups set up for the site's subnet. I guess it couldn't resolve
\\domainname.local\ to the SYSVOL share on the local DC.