Group Policy Error Events Logged When Unknown Environment Variable Is Used
Log Name: Microsoft-Windows-GroupPolicy/OperationalSource: Microsoft-Windows-GroupPolicyEvent ID: 7016Task Category: NoneLevel: ErrorKeywords: User: SYSTEMDescription:Completed Security Extension Processing in 20984 milliseconds.Event Xml:Windows XP and Windows Server 2003 will log this event in the Application log:... 20984 1252 Security {827D319E-6EAC-11D2-A4EA-00C04F79F83A}
Event ID: 1091Category: NoneSource: UserenvType: ErrorMessage: The Group Policy client-side extension Security failed to log RSOP (Resultant Set of Policy) data. Please look for any errors reported earlier by that extension.All Windows version will log this event in the Application log:
Event ID: 1202Category: NoneSource: SceCliType: WarningMessage: Security policies were propagated with warning. 0xd: The data is invalid.Depending on the actual policy configuration, the settings in the security policies may or may not be present. The More Information section explains the conditions for policy failure or success (despite the errors).
Cause
The events are logged because the file system security settings of one policy contain an environment variable that is unknown on the client computer. To find out more about the problem, enable logging of the security configuration client-side extension:
The gpt0000x.inf file, a text file containing the policy settings, can be found in the %windir%\security\templates\policies folder. It also contains the location of the policy in Active Directory in the line starting with GPOPath, allowing you to identify which policy has the unknown environment variable.
324383 Troubleshooting SCECLI 1202 EventsIn the %windir%\security\logs\winlogon.log file, you will see an entry such as:
Process GP template gpt0000x.inf.-------------------------------------------Error 13: The data is invalid. Error converting %PROGRAMFILES(X86)%\MyApplication.%PROGRAMFILES(X86)% is only an example. It is used when the policy is edited on a 64-bit version of Windows and security settings are made for the folder C:\PROGRAM FILES (X86) or one of its subfolders.
The gpt0000x.inf file, a text file containing the policy settings, can be found in the %windir%\security\templates\policies folder. It also contains the location of the policy in Active Directory in the line starting with GPOPath, allowing you to identify which policy has the unknown environment variable.
Resolution
To avoid the problem, create a new policy at the same level that receives the settings referencing the missing environment variable. Then use a WMI filter to allow the policy to only apply to machines that have the environment variable defined.
For example, the WMI filter for %PROGRAMFILES(X86)% would be:
For example, the WMI filter for %PROGRAMFILES(X86)% would be:
Select * from Win32_Envrionment where Name = 'PROGRAMFILES(X86)'