Group policy objects are a convenient and widely used way to enforce certain behaviors on all the machines in a specific environment. There are, however, some pitfalls to using GPOs that may not be obvious even to experienced administrators.
Like this. One of the errors that can be logged on workstations that have GPOs applied to them unsuccessfully is Event ID 1000. The log entry will usually look like this:
Event ID: 1000
Event Source: Userenv
Description: Windows cannot read the history of GPOs from the registry
This error is notoriously vague, since it is simply used to indicate that applying the GPO failed for some generic reason. The most common reason (which isn't separately documented as an error) is a missing or damaged Registry entry -- or a Registry entry with incorrect permissions applied to it, a common "time bomb" problem.
Here's what to do.
- Open the Registry Editor using REGEDT32 (not REGEDIT) and navigate to HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionGroup PolicyHistory.
- Make sure the History key and its sub-keys have these permissions:
Read permissions for the group Authenticated Users
Read / Full Control permissions for the groups Administrators and System
- Go into the History key and delete all of its subkeys (but don't delete the History key itself!). These sub-keys will be recreated later.
- the following command from the command line:
secedit /refreshpolicy machine_policy /enforce
This forces GPO settings to be imposed and take effect immediately. (For more on the SECEDIT /REFRESHPOLICY command, see Microsoft KnowledgeBase Article 227302.)
Serdar Yegulalp is the editor of the Windows 2000 Power Users Newsletter.
This was first published in February 2003