Here is a quick update for anyone that is curious. From the verbose userenv logging it looks like these errors are coming from IE6SP1 and WordXPSP2. I'm still monitoring to see if any other programs seem to cause this, but have not found any yet. Policies still are applying fine so the problem I had has not resurfaced.
USERENV(78c4.19c4) 09:08:35:345 LibMain: Process Name: E:\OfficeXP\Office10\WINWORD.EXE USERENV(78c4.19c4) 09:08:35:501 RegisterGPNotification: CreateEvent failed with 5 USERENV(78c4.19c4) 09:08:35:501 RegisterGPNotification: CreateEvent failed with 5 USERENV(78c4.19c4) 09:08:35:516 RegisterGPNotification: CreateEvent failed with 5 USERENV(70c.1300) 09:08:31:876 LibMain: Process Name: C:\Program Files\Internet Explorer\IEXPLORE.EXE USERENV(70c.1300) 09:08:31:891 ImpersonateUser: Failed to impersonate user with 5. USERENV(70c.1300) 09:08:31:891 GetUserNameAndDomain Failed to impersonate user USERENV(70c.1300) 09:08:36:923 RegisterGPNotification: CreateEvent failed with 5 I am fairly certain that the IE errors are caused by the auto-login authentication when our users open one of the internal web sites that uses NT authentication and FP extensions, in testing so far I cannot reproduce on any external sites or other internal sites. Though I'm not sure why it would attempt to register to receive changes in the policy. Thanks again for the help so far. KC -----Original Message----- From: ActiveDirList-PPC Posted At: Monday, December 15, 2003 11:09 AM Posted To: ActiveDirList-PPC Conversation: [ActiveDir] Userenv.log error Subject: RE: [ActiveDir] Userenv.log error Great, at least these are starting points. I'll see if the winlogon diagnostics give me further ideas. Thanks to all for the ideas. KC -----Original Message----- From: Jorge de Almeida Pinto [mailto:[EMAIL PROTECTED] Posted At: Saturday, December 13, 2003 8:29 AM Posted To: ActiveDirList-PPC Conversation: [ActiveDir] Userenv.log error Subject: RE: [ActiveDir] Userenv.log error Hi, To enable Winlogon diagnostics: Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon Value: UserEnvDebugLevel Value Type: REG_DWORD Value Data: <see below> (Hex) UserEnvDebugLevel can have the following values: NONE 0x00000000 NORMAL 0x00000001 VERBOSE 0x00000002 LOGFILE 0x00010000 DEBUGGER 0x00020000 So if you want verbose logging and a logfile (path log file= %WINDIR%\Debug\UserMode\Userenv.log) use the value 0x00010002 Regards, Jorge -----Original Message----- From: Darren Mar-Elia To: [EMAIL PROTECTED] Sent: 12/13/2003 1:00 AM Subject: RE: [ActiveDir] Userenv.log error KC- What this event is saying is that an application--probably a system application--is trying to create an event so that it can receive a notification when a GPO changes. However, for some reason, that application is unable to create the event for security reasons. It would probably be useful to determine which process is trying to register that event. The (52e8.5f2c) value indicates the process and thread ids for that call. If you can use Task Manager to check the process id, that might help narrow down the problem. I know its not much help, but maybe a starting point. Darren -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef Kazimer Sent: Friday, December 12, 2003 2:03 PM To: [EMAIL PROTECTED] Subject: re: [ActiveDir] Userenv.log error Usually a Failure of 5 is "Access Denied" turn on Winlogon Logging, and then use secedit to reapply security policies. It will create the winlogon.log in the C:\winntt\security\logs directory. Read through the log and you should see where the error is happening. Search Technet for the keywords of "winlogon.log" and you should find the KB article with the registry keylocation. Sorry I don't remember it off hand. :) Jef Original Message: >From: "ActiveDirList-PPC" <[EMAIL PROTECTED]> >To: <[EMAIL PROTECTED]> >Subject: [ActiveDir] Userenv.log error >Date: Fri, 12 Dec 2003 16:18:33 -0500 >Anybody know of good resources for finding more info on the following >error > >USERENV(52e8.5f2c) 15:32:55:476 RegisterGPNotification: CreateEvent >failed with 5 > >I've been having some GP oddities today and the userenv.log files on >the affected systems are covered up with this. Google returns some >sites, but most seem to be msdn sites about API programming reference, >and a security paper in German which I have not been able to decipher yet. >Thanks, >KC Brown > >List info : http://www.activedir.org/mail_list.htm >List FAQ : http://www.activedir.org/list_faq.htm >List archive: >http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
