Group policy objects are a convenient and widely used way to enforce certain behaviors on all the machines in a specific environment. There are, however, some pitfalls to using GPOs that may not be obvious even to experienced administrators.

Like this. One of the errors that can be logged on workstations that have GPOs applied to them unsuccessfully is Event ID 1000. The log entry will usually look like this:

Event ID: 1000
Event Source: Userenv
Description: Windows cannot read the history of GPOs from the registry

This error is notoriously vague, since it is simply used to indicate that applying the GPO failed for some generic reason. The most common reason (which isn't separately documented as an error) is a missing or damaged Registry entry -- or a Registry entry with incorrect permissions applied to it, a common "time bomb" problem.

Here's what to do.

  1. Open the Registry Editor using REGEDT32 (not REGEDIT) and navigate to HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionGroup PolicyHistory.

  2. Make sure the History key and its sub-keys have these permissions:

    Read permissions for the group Authenticated Users
    Read / Full Control permissions for the groups Administrators and System

  3. Go into the History key and delete all of its subkeys (but don't delete the History key itself!). These sub-keys will be recreated later.

  4. Run

    Requires Free Membership to View

  1. the following command from the command line:

    secedit /refreshpolicy machine_policy /enforce

This forces GPO settings to be imposed and take effect immediately. (For more on the SECEDIT /REFRESHPOLICY command, see Microsoft KnowledgeBase Article 227302.)


Serdar Yegulalp is the editor of the Windows 2000 Power Users Newsletter.


This was first published in February 2003

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.