none
Group Policy Client Service Failed the logon - Access Denied: Windows 7 Ultimate/Server 2008 R2

    Question

  • I'm running a Windows 2008 R2 ADS domain with 7 workstations, 6 running Windows 7 Ultimate 64-bit, 1 running Windows XP Pro

    I recently reinstalled Windows on one of the machines to take it from 32-bit to 64-bit - and upon joining the domain and trying to log on for the first time, I get the error message above (Group Policy....).  Everything was working fine on this same hardware with Windows 7 32-bit.  The hardware is an ASUS P7P55D Pro motherboard running an i5-760 processor with 4 GB RAM and an nVidia 8800 GT video card (x2). 

    I've found many, many links for this issue but nothing I've found makes any difference on this machine.

    I'm currently running with a static IP address to eliminate DHCP issues - no change

    I can log in with user accounts with no roaming profile - both domain admin and local admin user accounts work!

    The roaming profile accounts all work on all the other workstations with no problems.

    When I give a roaming profile account domain admin access, I can get logged in, but it loads a temporary profile - all other accounts continue to give me the error above and log me off automatically.

    No system log errors are created, but there are several application events: (1530, 6004, 1542, 6001, 1504) - all indicating that the roaming profile registry information can't be loaded...obviously - but why?

    Any suggestions?  Thanks.

     

    Tuesday, November 30, 2010 5:20 AM

Answers

  • Hi,

     

    According to your description, the domain admin and local admin user accounts work. After granting a roaming profile domain admin permission, this users can log in, but it loads a temporary profile. Meanwhile, the same roaming profile user can log on other workstation correctly. If anything is incorrect, please let us know. Also, please note that XP and Windows 7 have different profile folder structures, it is recommended to not log on one roaming profile to both XP and Win7.

     

    What about the domain users without roaming profile? You can create a test user to check the results.

     

    At this time, let’s refer to the following steps for troubleshooting:

     

    1. Open registry editor on the problematic Windows 7 machine (please log in as domain admin)

    2. Highlight HKEY_USERS, choose File -> Load Hive, browse to the location of one failing roaming profile and open NTUSER.DAT file, click open

    3. Under Key Name, enter any name you like, but remember what you have entered, such as enter "test"

    4. Expand, HKEY_USERS, you should see new registry hive called "test" or any name you entered earlier

    5. Right click on that "test" hive and choose permissions. Confirm that the following users have permissions:

     

    - Administrators: Full Control

    - SYSTEM: Full Control

    - User (or group) that owns this profile: Full Control

     

    6. If the permissions were wrong, correct them, then click on Advanced tab, on Advanced tab and enable "Replace permission entries on all child objects with entries shown here that apply to child objects" and click Apply.

    7. Highlight "test" registry hive, then click on File -> Unload Hive to release handle on NTUSER.DAT file.

     

    8. Log off and log on with the failing roaming profile you have just modified.

     

    What is the result?

     

    If the issue persists, please send us the MPS report for further troubleshooting.

     

    MPSReport

    -------------------

    Please generate a MPS Directory Service report on the computer that is reporting the error. The MPS report is utilized to gather detailed information regarding a system's current configuration. The data collected will assist me with problem isolation. To do this:

    a. Download Microsoft Product Support Reports tool from the following link, according to your system architecture.

    http://www.microsoft.com/downloads/details.aspx?FamilyId=CEBF3C7C-7CA5-408F-88B7-F9C79B7306C0&displaylang=en       

     

    b. Right click on downloaded mpsreports_x86.exe or mpsreports_x64.exe, and choose Run as Administrator.

    c. Agree the License Agreement, and choose This Computer.

    d. Select General, Internet and Networking, Business Networks, Server Components, and click Next.

    e. After finishing collecting logs, please choose Save the result to save it to a .CAB file, and send the CAB file to the workspace.

    Note: Sometimes the CAB file may fail to be generated on your machine. This is usually caused by the interference from some third-party application such as certain antivirus program. If it still cannot be generated after another attempt, then please manually zip all the output files in the following folder and send the .zip file to the workspace.

    "%systemroot%\MPSReports\DirSvc\Logs

     

    Upload these file to the following workspace.

    ------------------------------------------------------------

    You can upload the information files to the following link. (Please choose "Send Files to Microsoft")

    Workspace URL: (https://sftus.one.microsoft.com/choosetransfer.aspx?key=0e2a1d29-5bb9-4f89-9e15-85df34d2f058)                 

    Password: l5T66#OAGu

     

    Note: Due to differences in text formatting with various email clients, the workspace link above may appear to be broken. Please be sure to include all text between '(' and ')' when typing or copying the workspace link into your browser. Meanwhile, please note that files uploaded for more than 72 hours will be deleted automatically. Please ensure to notify me timely after you have uploaded the files. Thank you for your understanding.

     

    Thanks.

    Nina


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Wednesday, December 01, 2010 7:41 AM

All replies

  • Hi.

    Have you tried to re-join the domain?? Put the computer in workgroup. Delete the computer object from Active Directory, then join it to the domain again?

    OHM
    www.moe.am

    Tuesday, November 30, 2010 11:18 AM
  • Hi,

     

    According to your description, the domain admin and local admin user accounts work. After granting a roaming profile domain admin permission, this users can log in, but it loads a temporary profile. Meanwhile, the same roaming profile user can log on other workstation correctly. If anything is incorrect, please let us know. Also, please note that XP and Windows 7 have different profile folder structures, it is recommended to not log on one roaming profile to both XP and Win7.

     

    What about the domain users without roaming profile? You can create a test user to check the results.

     

    At this time, let’s refer to the following steps for troubleshooting:

     

    1. Open registry editor on the problematic Windows 7 machine (please log in as domain admin)

    2. Highlight HKEY_USERS, choose File -> Load Hive, browse to the location of one failing roaming profile and open NTUSER.DAT file, click open

    3. Under Key Name, enter any name you like, but remember what you have entered, such as enter "test"

    4. Expand, HKEY_USERS, you should see new registry hive called "test" or any name you entered earlier

    5. Right click on that "test" hive and choose permissions. Confirm that the following users have permissions:

     

    - Administrators: Full Control

    - SYSTEM: Full Control

    - User (or group) that owns this profile: Full Control

     

    6. If the permissions were wrong, correct them, then click on Advanced tab, on Advanced tab and enable "Replace permission entries on all child objects with entries shown here that apply to child objects" and click Apply.

    7. Highlight "test" registry hive, then click on File -> Unload Hive to release handle on NTUSER.DAT file.

     

    8. Log off and log on with the failing roaming profile you have just modified.

     

    What is the result?

     

    If the issue persists, please send us the MPS report for further troubleshooting.

     

    MPSReport

    -------------------

    Please generate a MPS Directory Service report on the computer that is reporting the error. The MPS report is utilized to gather detailed information regarding a system's current configuration. The data collected will assist me with problem isolation. To do this:

    a. Download Microsoft Product Support Reports tool from the following link, according to your system architecture.

    http://www.microsoft.com/downloads/details.aspx?FamilyId=CEBF3C7C-7CA5-408F-88B7-F9C79B7306C0&displaylang=en       

     

    b. Right click on downloaded mpsreports_x86.exe or mpsreports_x64.exe, and choose Run as Administrator.

    c. Agree the License Agreement, and choose This Computer.

    d. Select General, Internet and Networking, Business Networks, Server Components, and click Next.

    e. After finishing collecting logs, please choose Save the result to save it to a .CAB file, and send the CAB file to the workspace.

    Note: Sometimes the CAB file may fail to be generated on your machine. This is usually caused by the interference from some third-party application such as certain antivirus program. If it still cannot be generated after another attempt, then please manually zip all the output files in the following folder and send the .zip file to the workspace.

    "%systemroot%\MPSReports\DirSvc\Logs

     

    Upload these file to the following workspace.

    ------------------------------------------------------------

    You can upload the information files to the following link. (Please choose "Send Files to Microsoft")

    Workspace URL: (https://sftus.one.microsoft.com/choosetransfer.aspx?key=0e2a1d29-5bb9-4f89-9e15-85df34d2f058)                 

    Password: l5T66#OAGu

     

    Note: Due to differences in text formatting with various email clients, the workspace link above may appear to be broken. Please be sure to include all text between '(' and ')' when typing or copying the workspace link into your browser. Meanwhile, please note that files uploaded for more than 72 hours will be deleted automatically. Please ensure to notify me timely after you have uploaded the files. Thank you for your understanding.

     

    Thanks.

    Nina


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Wednesday, December 01, 2010 7:41 AM
  • Hi,

    I did the same procedure and it worked out for one server. But another server is having the same problem. And in that server I was not able to apply the step no. 5 as told in your procedure. When tryint apply permission, i was getting message like unable to save permission changes.Access is denied. Please help me on this.
    Regards,
    Sereno

    Sunday, February 27, 2011 12:23 PM
  • Dear,

    My issue is solved and I have posted the result in

    http://social.microsoft.com/Forums/en-US/partnerwinserver/thread/8bf56c77-62c2-4c64-a16c-ccf29c888017

    Regards,
    Sereno

    Tuesday, March 15, 2011 6:00 AM
  • Dear,

    My issue is solved and I have posted the result in

    http://social.microsoft.com/Forums/en-US/partnerwinserver/thread/8bf56c77-62c2-4c64-a16c-ccf29c888017

    Regards,
    Sereno


    Can you post the solution here?   I am not authorized to access that area.   I have the same issue as Hahtad when domain users logging into Windows 7 workstations, but not XP.   Didn't start out that way and only affects two of the four users.   Thanks.
    Wednesday, March 30, 2011 4:43 PM
  • Dear Joe,

    Please try out the way Nina Liu, MSFT posted earlier in this thread. This solution worked out for one of my 2008 R2 servers. But I had another 2008 R2 server with same issue, and this solution didnt solve it. It was because of wrong ownership ( or insufficient registry permission) for the user's ntuser.dat file in the registry. I tried to replace the owner and give permissions to the user who was having permission but was getting access denied message. This I tried by loading the ntuser.dat of the troublesome user in registry under HKEY_Users(as mentioned above in earlier comments). But was not able to give registry permissions to the loaded ntuser.dat file in HKEY_Users. Then i decided to use the system account to give registry permissions. For this i used the Microsoft tool PSExec. I downloaded this tool and extracted it. I lauched command prompt -->run as admin and changed C:\windows\system32 to the place where i extracted PSExec. and from there i loaded the following command

    psexec -i -s regedit.exe

    Here -s is used to load regedit with System account. With this regedit loaded with system account, I right clicked on loaded Ntuser.dat --> permissions and give full permissions to the user having the problem and then user was able to login without any issues.

    Let me know the status also after applying the settings.

    Thank you,

    Sereno Verghese


    Thursday, March 31, 2011 9:58 AM
  • In my case, this affected a Win '08 (SP2) domain user but only when logging to Win7 x64 domain machines. - Not just one machine either, it affected at least 2 machines, one user only.

     

    Applying permissions as Nina Liu, MSFT indicated resolved the issue. 

     

    Possibly of note: This user is also an XP VM user..  Not sure if that is how his permissions got chorked up or not, I didn't reverse the oddball hex-like account name that apparently took the place of his domain profile name as having full permissions to ntuser.dat...

     

    Thanks for posting this fix Nina!

    Friday, June 17, 2011 4:30 PM
  • I resolved this issue with troubleshooting status of "User Profile Service" on the Windows 2008 server. Normal user need to be added to Remote desktop users and must have user rights. Add Remote desktop users group in local security policy > User rights assignment > Allow log on through terminal services No more "Group Policy Client Service Failed the logon - Access Denied" error
    Thursday, August 11, 2011 8:34 AM