Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Problems with GPO processing, event ID 1030

1,426 views
Skip to first unread message

yaro137

unread,
Oct 5, 2009, 10:49:04 AM10/5/09
to
I'm getting the following message on one of the client PCs:
"Windows cannot query for the list of Group Policy objects. A message
that describes the reason for this was previously logged by the policy
engine."
It usually occurs around 10 times followed by :
"Security policy in the Group policy objects has been applied
successfully."
when I run gpupdate /force I'm getting the above 2 events in the log.
The error comes first. Any idea what could be causing that? Other
computers in that small network on SBS2k3 are all right.
yaro

Robbin Meng [MSFT]

unread,
Oct 6, 2009, 4:58:15 AM10/6/09
to


Hello yaro,

Thanks for your post again.

Based on research and experience in the Event error messages, this issue may occur if both of the following conditions are true:

o Your Windows XP-based computer is a member of a domain.
o The Microsoft Distributed File System (DFS) client is turned off.

Note The \\ Active Directory Domain Name \Sysvol share is a special share that requires the DFS client to make a connection.

Note This issue may also occur if "Everyone" has been removed from the root drive NTFS file system permissions. If "Everyone" has been removed from the root drive NTFS permissions, restore the
"Everyone" group's NTFS permissions on the root folder by granting "Everyone" the special Read and Execute NTFS permissions on the root folder only.

Please refer to the following KB articles for detailed troubleshooting steps:

A Group Policy object is not applied as expected after you restart a Windows XP-based client computer or a Windows Server 2003-based computer
http://support.microsoft.com/kb/886516/en-us

Group policies are not applied the way you expect; "Event ID 1058" and "Event ID 1030" errors in the application log
http://support.microsoft.com/kb/314494/en-us


However, if the issue persists, please perform a "Clean boot" on the problematic client:

Clean boot
=================
Let's disable all startup items and third party services when booting. This method will help us determine if this issue is caused by a loading program or service. Please perform the following steps:

1. Click the Start Button type "msconfig" (without quotation marks) in the Start Search box, and then press Enter.

Note: If prompted, please click Continue on the User Account Control (UAC) window.

2. Click the "Services" tab, check the "Hide All Microsoft Services" box and click "Disable All" (if it is not gray).
3. Click the "Startup" tab, click "Disable All" and click "OK".

Then, restart the computer. When the "System Configuration Utility" window appears, please check the "Don't show this message or launch the System Configuration Utility when Windows starts" box and
click OK.

Please test this issue in the Clean Boot environment, if the issue disappears in the Clean Boot environment, we can use a 50/50 approach to quickly narrow down which entry is causing the issue.

For more information about this step, please refer to the following KB article:

How to perform a Clean Boot in Windows XP
http://support.microsoft.com/default.aspx?scid=KB;EN-US;310353


Hope this helps. Also, if you have any questions or concerns, please do not hesitate to let me know.

Best regards,
Robbin Meng(MSFT)
Microsoft Online Newsgroup Support

==================================================================
Please post your SBS 2008 related questions to the SBS newsgroup on Connect website:
https://connect.microsoft.com/sbs08/community/discussion/richui/default.aspx

Please post your EBS related questions to the EBS newsgroup on Connect website:
https://connect.microsoft.com/ebs08/community/discussion/richui/default.aspx

If you want to use a newsreader other than a web forum to access these newsgroups,
please refer to the following blog to apply NNTP password and configure a newsreader:
http://msmvps.com/blogs/bradley/archive/2008/11/02/signing-up-for-the-sbs-2008-newsgroups.aspx
==================================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
==================================================================

yaro137

unread,
Oct 12, 2009, 12:22:56 PM10/12/09
to
It still appearers. I noticed that it's roughly every 2 hrs. I have no
problems accessing the SYSVOL folder over the network. Clean boot did
not change anything. Not sure what do you mean regarding the DFS
client. I can't even find this service among the services running on
my PC.
yaro

Robbin Meng [MSFT]

unread,
Oct 13, 2009, 11:41:02 PM10/13/09
to

Hi yaro,

Thanks for your reply and letting me know the test results.

Regarding the DFS you concerned, I would like to explain that all domain controllers must run the Distributed File System service because the Sysvol share is a DFS
volume. Additionally, the DFS client must be enabled in the registry on all computers.

To make sure that the Distributed File System client is enabled on all client computers, follow these steps:
1. Click Start, click Run, type regedit in the Open box, and then click OK.
2. Expand the following subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Mup
3. Click Mup, and then in the right pane, search for a DWORD value entry that is named DisableDFS.
4. If the DisableDFS entry exists and the value data is 1, double-click DisableDFS. In the Value data box, type 0 , and then click OK. If the DisableDFS value data is
already 0, or if the DisableDFS entry does not exist, do not make any change.
5. Quit Registry Editor.
6. If you changed the DisableDFS value data, restart the computer.


To continue troubleshoot this issue, it also occurs if the computers that are on your network cannot connect to certain Group Policy objects. Specifically, these objects are in
the Sysvol folders on your network's domain controllers.

So please check for the permissions on the sysvol and added "Group Policy Creator Owner" and gave it full control. If the issue persists, please go on to try the steps listed
with the following KB887303 article:

"Userenv errors occur and events are logged after you apply Group Policy to computers that are running Windows Server 2003, Windows XP, or Windows 2000"
http://support.microsoft.com/kb/887303/en-us

Note, please only need to refer to the Windows XP client part since the issue only occurs to individual client computer. Please have a try.

Hope this helps.

yaro137

unread,
Oct 20, 2009, 8:13:46 AM10/20/09
to
Done all suggested and even reset the computers account on the server.
Still getting the error now accompanied by 40961
"The Security System could not establish a secured connection with the
server ldap/servername.local/domain...@domain.LOCAL. No
authentication protocol was available.
yaro

Robbin Meng [MSFT]

unread,
Oct 28, 2009, 6:54:06 AM10/28/09
to


Hello yaro,

Sorry for my late reply due to attendance of trainings these days.

Please apply the hotfix 931192 and 885887 for the client computer to fix the Event 40961 and 1030 error issue:

Users in a trusted external Kerberos realm cannot access resources from a Windows Server 2003-based forest to another forest by using a forest trust and a Kerberos trust
http://support.microsoft.com/kb/931192/en-us

You cannot access network resources after you try to log on to a Windows XP Service Pack 2-based computer
http://support.microsoft.com/kb/885887/en-us

Please take your time to try.


Best regards,
Robbin Meng(MSFT)
Microsoft Online Newsgroup Support

==================================================================

0 new messages