none
event 1101 code 13

    Question

  • Hi,

    Lately we having an issue with event 1101 on some of our servers,

    I did check the users that recieves t he event 1101 and al of theml belong to the same OU. this OU is a sub OU to one other OU that we use it for our Exchange multi tenancy.

    If I remove one of the users that recieves the event 1101 from the sub OU to e.g. User OU and log back to the same server no error 1101, when put the user back to the sub OU then again get the error 1101.

    I did check the Parent OU and the Autenticated users has no Read access, but at the sub OU  the Autenaticted users have Read Permission.

    The only group policy is link to the OU is the default domain policy and no other Policy

    I have 2 questions:

    1. Why we get the event 1101 for the same user on some servers and not on all of the servers that this user login to.

    2. we did not hadve this issue before and I see it just for some weeks now, how can we correct theis issue.

    I also check the read gplink and write gpoptions and I have to say non of our OU has Allow permission to both of them.

    Any help would be appreciate it.

    Thanks


    Shahin


    we have 2 Dcs and both are server 2008 R2 and the problem is on mix server2012 R2 and server 2008 R2 member servers
    • Edited by Shahin Tuesday, July 05, 2016 12:35 PM
    Tuesday, July 05, 2016 12:33 PM

All replies

  • Hi,

    Can you check if any permissions or patches were deployed recently?

    Check out similar thread on this issue and a link to MS site applies to XP /2003 worth checking the resolution

    https://social.technet.microsoft.com/Forums/en-US/fc8814b1-dcdf-4dcf-a436-e7da83e6e4dc/events-1101-and-1030-logged-repeatedly-with-no-changes-made-to-gp?forum=winserverGP

    http://support.microsoft.com/kb/887421


    Regards, Jim MSCS - MCP Disclaimer: This posting is provided AS IS with no warranties or guarantees , and confers no rights. When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer

    Tuesday, July 05, 2016 1:59 PM
  • Thanks for the reply,

    sure we apply the Windows updates and patches monthly, but now question is which update has created this issue!

    I already saw this link and unfortunatly gptools is not working with server 2008 R2.

    and as I said the autenticated user has no read group policy access to the parent OU, also when we move a test user from this OU to other OUs like Users OU (with Authenticated having read access) then problem dont occurs.

    We did not have this issue untill sometimes ago, so maybe you are right and one of the installed updates is the root case this issue, but which one?

    Thanks


    Shahin

    Tuesday, July 05, 2016 2:11 PM
  • There is Security patch MS16-072 /

    KB3163622.

    I am curious to know if this is affecting your issue check if you have this patch installed and uninstall on 1 Server. Though this has affected way the security permissions are applied for GPOs.

    https://blogs.technet.microsoft.com/askds/2016/06/22/deploying-group-policy-security-update-ms16-072-kb3163622/

    https://blogs.technet.microsoft.com/poshchap/2016/06/16/ms16-072-known-issue-use-powershell-to-check-gpos/


    Regards, Jim MSCS - MCP Disclaimer: This posting is provided AS IS with no warranties or guarantees , and confers no rights. When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer

    Tuesday, July 05, 2016 2:41 PM
  • I did check on one our servers 2012 r2 and I could not find the update KB3163622. I will check one of other impacted server and see if it is installed there.


    Shahin

    Tuesday, July 05, 2016 2:54 PM
  • Hi,

    I did check for this KB3163622 on other server that we have Gp issue as well, but it looks like the update has not been installed.

    Any idea?

    Thaks


    Shahin

    Wednesday, July 06, 2016 10:02 AM
  • Can you post detailed 1101 event details here?

    Regards, Jim MSCS - MCP Disclaimer: This posting is provided AS IS with no warranties or guarantees , and confers no rights. When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer

    Wednesday, July 06, 2016 12:16 PM
  • Sure this is the details:

     System

      - Provider

       [ Name]  Microsoft-Windows-GroupPolicy
       [ Guid]  {AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}
     
       EventID 1101
     
       Version 0
     
       Level 2
     
       Task 0
     
       Opcode 1
     
       Keywords 0x8000000000000000
     
      - TimeCreated

       [ SystemTime]  2016-07-06T11:24:45.364847700Z
     
       EventRecordID 108093
     
      - Correlation

       [ ActivityID]  {C98EB990-16E5-44B9-8442-10EF4794EAEC}
     
      - Execution

       [ ProcessID]  2092
       [ ThreadID]  40276
     
       Channel System
     
       Computer NTS62.mydomain.local
     
      - Security

       [ UserID]  S-1-5-21-2074345211-3195412232-2123198540-1299

    - EventData

      SupportInfo1 4
      SupportInfo2 3198
      ProcessingMode 0
      ProcessingTimeInMilliseconds 344
      ErrorCode 13
      ErrorDescription The data is invalid. 
      DCName \\NTS50.mydomain.local
      DSObjectName OU=E-mail Hosting,DC=mydomain,DC=local


    Shahin

    Wednesday, July 06, 2016 12:19 PM
  • This looks to me like some of the GPO's might not have correct permissions set, can you unlink GPO's one by one and see if you get same error?

    If you have old GPO's hanging around linked to OU delete or unlink it, and also enable Debug logging for GPO.

    Did you deleted any OU recently and this might have not replicated across I suspect.

    https://support.microsoft.com/en-us/kb/221833

    Check this link applies to XP and 2003 but verify the resolution steps.

    https://support.microsoft.com/en-us/kb/909260

    Check this thread with similar issue discussed

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/88299639-9d83-4479-bd17-30edee90a5cb/group-policy-failed-help?forum=winserverDS


    Regards, Jim MSCS - MCP Disclaimer: This posting is provided AS IS with no warranties or guarantees , and confers no rights. When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer

    Wednesday, July 06, 2016 12:30 PM
  • I am also sure this is permission issue, as I said the Authenticate uses have no Read permission on the parent OU the reson is we have a Multi tanent exchange enviorment and we had to reomve the Authenticated users from the Parent OU and this is almost 6 years ago and we did not have any problem untill 2 month ago.

    the only policy that is linked to the OU is the default domain policy.

    We did not delete any OU. I did enable the gp logging, if you like I can upload it for you.


    Shahin

    Wednesday, July 06, 2016 12:43 PM
  • I did some more resarch and it look like that this update KB3159389 can be the root cause of the problem. I did check one of the server that has this issue and can see the update has been installed.

    https://support.microsoft.com/en-us/kb/3159398

    I will remove this update and see it helps.


    Shahin

    Thursday, July 07, 2016 10:06 AM
  • Hi Shahin,

    What is the situation of your problem after un-install the update?

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, July 12, 2016 5:46 AM
    Moderator