TheITGuyRox.com

So, I keep getting Userenv errors 1030 and 1058 on one of my domain controllers.

The description of Event ID 1058 says “Windows cannot access the file gpt.ini for GPO CN={31B2F340-016D-11D2-945F-00C04FB984F9}, CN=Policies, CN=System, DC=MyDomain, DC=com. The file must be present at the location <\\MyDomain.com\ sysvol\ MyDomain.com\ Policies\ {31B2F340-016D-11D2-945F-00C04FB984F9}\ gpt.ini>. (Access is denied. ). Group Policy Processing aborted.”

This problem has plagued me for quite a while. I have checked permissions on the file, the folder and the root drive. Everything looked normal. I couldn’t figure out what to do. I decided to do nothing. Everything apeared to be working fine.

A couple months later I decided to cleanup active directory a little bit. I opened the Group Policy manager and deleted all of my unused GPOs. The next day, I noticed that the Userenv errors quit showing up. I was quite happy with myself. My patience paid off.

The next week however I noticed that I was getting the errors in a different environment. I was a little put out. I didn’t want to randomly delete GPOs until the problem went away, so I googled again. I came across a solution. It was so simple, I was angry that I lived with the error for so long. All I had to do was open the security page of all the GPOs and reset the ACL. After 5 minutes I fixed the error and have not seen it since.

To fix Userenv Events 1030 and 1058 that are caused by Access Restrictions:

• Download and install the Group Policy Management Console.

• Open the Group Policy Management MMC and browse to Forest: -> Domains -> MyDomain.com -> Group Policy Objects.
• Click on the first object. Open the Delegation Tab.
• Click on a user and then the Advanced… button in the bottom corner.
• Uncheck and recheck any check box.
• Click OK and repeat on every GPO. (This causes the ACL to be rewritten and permission granted the the broken GPO.)

I work with virtual machines alot.

One thing that I have noticed is that a windows VM that has been copied, NewSided, and added to a domain, generates MSDTC Event 53258, ALOT.

EventID: 53258

MS DTC could not correctly process a DC Promotion/Demotion event. MS DTC
will continue to function and will use the existing security settings. Error
Specifics: d:\srvrtm\com\complus\dtc\dtc\adme\uiname.cpp:9280, Pid: 1148
No Callstack,
CmdLine: C:\WINDOWS\system32\msdtc.exe

EventID: 53258

MS DTC could not correctly process a DC Promotion/Demotion event. MS DTC
will continue to function and will use the existing security settings. Error
Specifics: %1

After lots of time googling, I found the solution:

1. Run the Component Services MMC snap-in: Start -> Administrative Tools ->
Component Services.

2. Open Console Root -> Component Services -> Computers.

3. Right-Click on My Computer (in the Component Services window) and click Properties.

4. Open the MSDTC tab and click OK.

5. Close the Component Services window.

6. From a Command Prompt type net stop msdtc && net start msdtc.

Now you won’t get the MSDTC errors in the event log.

I believe that this process resets the computer name that MSDTC tries to connect to. In my case it was trying to connect to the computer named “base-vm”, but that computer no longer exists.