Events 1101 and 1030 are logged in the Application log when applying Group Policy

Applies to: Microsoft Windows Server 2003 Standard Edition (32-bit x86)Microsoft Windows Server 2003 Enterprise Edition (32-bit x86)Microsoft Windows Server 2003 Datacenter Edition (32-bit x86)

Symptoms


On a computer that is running Microsoft Windows XP or newer you may experience the following Error event entries in the Application log:If you enable user environment or GPSVC debug logging, the following entries are logged:
ProcessGPOs:  User name is:   UserOrComputerDN , Domain name is:   DomainName 
ProcessGPOs: Domain controller is: \\ DC FQDN Domain DN is DomainName
...
EvaluateDeferredOUs: Object OUName cannot be accessed
GetGPOInfo: EvaluateDeferredOUs failed. Exiting
Note In these entries, OUName is the parent organizational unit (OU) of the user account or of a computer object.

Cause


This problem occurs because the Group Policy engine in Windows XP Professional and newer does not have read permissions to the following attributes of the parent OUs:
  • distinguishedNanme (used in the search filter)
  • gPLink (requested as data)
  • gPOptions (requested as data)
If the Group Policy engine does not have these permissions, the Group Policy engine cannot apply Group Policy settings.

In Microsoft Windows 2000 Server, the events that are described in the "Symptoms" section are not logged. The Group Policy engine in Windows 2000 Server then ignores the Group Policy settings that are linked to the OU. Windows XP was changed to not ignore this error.

By default, access to all OUs is granted according to an access control entry in the default security descriptor. This security descriptor is part of the schema that enables the Authenticated Users group to read all the properties.

Resolution


To resolve this problem, grant sufficient permissions to access the parent OUs to all the user accounts and to all the computers that apply Group Policy settings through the OUs.

Granting poermissions on the "distinguishedName" attribute through ACL Editor requires you to change the attribute visibility in DSSEC.DAT in the "[organizationalUnit]" section. You need to change the line "distinguishedname=7" to "distinguishedname=0".

When you then restart the application showing ACL Editor, the attribute should be visible.

More Information


For more information about how to enable user environment debug logging, click the following article number to view the article in the Microsoft Knowledge Base:

221833 How to enable user environment debug logging in retail builds of Windows