error: Windows cannot impersonate the user

[graysky]

I found an odd entry in my event log today. It happened after I did a windows key + L to lock the machine, when I unlocked it, I found this entry in the event viewer > application log:

User: NT AUTHORITY\SYSTEM
Event ID: 1081

Windows cannot impersonate the user. (The handle is invalid. ). Group Policy processing aborted. 

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

I ran a full malware and virus scan, but found nothing. Does anyone know what this impersonate error is about?

Edited August 2, 2007 by graysky

[jroc]

I found an odd entry in my event log today. It happened after I did a windows key + L to lock the machine, when I unlocked it, I found this entry in the event viewer > application log:

User: NT AUTHORITY\SYSTEM
Event ID: 1081

Windows cannot impersonate the user. (The handle is invalid. ). Group Policy processing aborted. 

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

I ran a full malware and virus scan, but found nothing. Does anyone know what this impersonate error is about?

maybe you could have taken one more step and done a 'full google' scan

http://www.google.com/search?q=Windows+can...sonate+the+user

[graysky]

I did google it and followed most of the links at the url you kindly posted. Unfortunately, I haven't found a definitive answer. I did find this but I don't see how it applies since I'm not using or really know what ASP.NET is

[cluberti]

If you're getting that error, it means you were likely doing a background refresh of group policy, and either your machine's account on the domain had a security issue, or some process on the machine closed the handle underneath the GP engine during processing (like antivirus software). Hard to say, but it is definitely indicative of a failed background refresh - how frequently does this occur, and when did it start happening?

[888]

By default, members of the device's local Administrators group and the device's local Service account are assigned the "Impersonate a client after authentication" user right. The following components also have this user right:

Services that are started by the Service Control Manager

Component Object Model (COM) servers that are started by the COM infrastructure and that are configured to run under a specific account

When you assign the "Impersonate a client after authentication" user right to a user, you permit programs that run on behalf of that user to impersonate a client.

This security setting helps to prevent unauthorized servers from impersonating clients that connect to it through methods such as remote procedure calls (RPC) or named pipes.

MORE INFO

Also there was a patch for enabling pipe create instance for non-admin users AFAIR, but I dont remember details.

Check it on msoft kb

Edited August 3, 2007 by 888

[graysky]

@cluberti - 9 times yesterday. It started happening (as per the logs) about 2 weeks ago. Unfortunately, I don't know what happened to set it off. Nothing yet today, but the machine was just powered on... we'll see

[graysky]

Update: I only seem to get this error when the user is logged in to the machine, but has either pressed winkey+L or the screensaver did so (since the require password box is checked). In other words, the user is logged in, but the machine is on the welcome screen.

Does that mean anything to help track it down?

EDIT: this isn't true.. the most recent one happened a few minutes ago when I was logged in

Edited August 5, 2007 by graysky

[cluberti]

You might want to open the Security Configuration and Analysis MMC and compare your machine against the default security template, to see what is different. It is likely some security setting that is non-standard that is causing this, but it would help for you to do an analysis against the default template to see what is different on your machine against an out-of-the-box security configuration.

[graysky]

So I've never messed around with security templates as far as I know. Can you explain the process of comparing the current template to the default template?

[cluberti]

Sure:

1. Open mmc (start > run > mmc)

2. Click File > Add/Remove snapin

3. Click "Add"

4. Select "Security Configuration and Analysis" from the list, and click "Add"

5. Click "Close"

6. Click "OK"

7. Right-click the "Security Configuration and Analysis" option under "Console Root", and click "Open Database"

8. Type in a name for the new database you are creating (can be anything), then click "Open"

9. From the list of templates (if you do not see any .inf templates, browse to %windir%\security\templates) select "setup security.inf" and click "Open"

10. Right-click the "Security Configuration and Analysis" option under "Console Root", and click "Analyze Computer Now"

11. Click "OK" when prompted to create an Error log file path

This will analyze your system against the .inf file that was applied when the OS was first installed, showing you the differences.

[graysky]

Wow, thanks for the level of detail in that reply. I must admit, after looking through the various sections, I really don't see any major differences.

[rajesh_vellore]

How can we do impersonation in windows service for NT AUTHORITY\\SYSTEM of local system.

Edited July 6, 2009 by rajesh_vellore