What are Userenv 1030 and 1058 events?

  • Article

These are very generic client events and are logged whenever the system fails to apply Group Policy settings for either the user or the computer.

One thing to note concerning a Userenv 1030/1058 event is that it doesn’t have to be indicative of a problem, it can be caused by environmental issues like not being able to access a DC (because the network is down) or the network on the machine not being ready when it boots up and attempts to apply GPO’s. 

Typical catalysts are:

  • incorrect ACL’s on Sysvol on the DC

  • filter drivers (antivirus or backup apps) that keep locks on the target objects in Sysvol

  • network issues that prevent the client from accessing Sysvol on the DC

  • inorrect security settings on the DC the client is accessing Sysvol on

  • DNS resolution issues

  • DFS problems

    The important bit here before troubleshooting is to look at other events or problems on the client, a single 1030/1058 event at reboot isn’t anything to be overly concerned about for example (in that case it probably means we attempted to apply Group Policy before we could reach Sysvol on a DC).

The GUID of the policy that is reported in the events is also of interest, if you see this being reported only for specific GPO’s then you need to zoom on on those and investigate them for anomalies.
It's also useful to note which DC the client is attempting to get Sysvol data from, especially if it only seems to be one particular DC that generates the events while the clients don't get the problem when connected to other DC's.

Consider that you have two security principals involved in the application of all GPO’s; the logged-on user account and the computer account of the machine the user is logged on to.  Group Policy processing will do at least two passes (more if Loopback Merge mode is present) and first attempt to apply Computer Group Policy and then User Group Policy. 
Depending on how Fast Logon Optimization is set up this can be sequential or out of order. 

During this operation, the client will attempt to download data from Sysvol on the DC it has a DFS connection with (See dfsutil /pktinfo which DC).  Note that this doesn’t have to be the same DC as your logon DC but that is configurable.

The best way to resolve problems related to these two events is to enable Userenv logging on the client side and getting a log to read (See http://blogs.technet.com/instan/archive/2008/09/17/what-is-logged-to-the-userenv-log-file.aspx).

Secondary methods of troubleshooting would be network traces from the client that cover a time period where it logs the events, this should tell you if network problems are preventing the client from talking to the DC.

How to enable user environment debug logging in retail builds of Windows
http://support.microsoft.com/kb/221833

Interpreting Userenv log files
http://technet.microsoft.com/en-us/library/cc786775.aspx

AD & GPO FAQ
http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/26455b36-26bd-4a44-b594-5a9f67bcd8df

DFSUtil in Windows Server 2003 VS DFSUtil in Windows Server 2008
http://blogs.technet.com/filecab/archive/2008/07/11/dfsutil-exe-in-windows-2003-vs-dfsutil-exe-in-windows-2008.aspx

An update for Windows Server 2003 and Windows 2000 Server makes it possible to put the logon server at the top of the DFS referrals list
http://support.microsoft.com/kb/831201