none
The Group Policy Client service failed the logon - Access is Denied (Server 2003 domain, Vista)

    Question

  • First off, this issue concerns a 2003 domain (single DC) with Vista Business clients.  There are XP clients as well but I haven't tested if this problem occurs on them yet.  The environment only has about 100 domain users and it only affects a few of them. 

    Second, I know this is an extremely common issue so it baffles me why there isn't any real answers on this anywhere (that I've found).  It's clearly an issue in OS design for Vista and Win7 since it happens in both domain environments and on standalone PCs. 

    And yes I'm frustrated, so I apologize if any negativity seeps into my writing.  This problem has been ongoing for years and my only way around it has been to generate new accounts in the AD for affected users.  I just don't get why MS hasn't resolved this yet.   

    Having said that, i'm still willing to try anything suggested. 

    Here's what I will say I have tried so far (tried a lot of other stuff but it's spread out over a long period of months/years - so everything below was just from today): 

    - On client PC, delete local folder from c:\users that correspond to the affected user, plus delete the Temp account folder (c:users\temp), plus remove the SID entry in regedit under: (HKLM\Software\Microsoft\Windows NT\Currentversino\ProfileList) for that user.  Reboot machine, try to log in, same problem.  The deletion of c:\users\temp is so that it doesn't try to log me in with the generic profile (the one that gives you the message basically saying "couldn't load your normal profile, using a temp one intead, changes won't be kept"). 

    - On the domain controller, I've gone to GPO Edit, then to Computer Configuration > System > User Profiles and all items there are Not Configured.  So I enabled two items:

    "Wait for remote user profile" = Enabled

    "Maximum retires to unload and update user profile" = Enabled, set to 120. 

    One possible solution that I haven't tried yet is to Enable the following entry in this same GPO list:

    "Delete cached copes of roaming profiles". 

    The only reason is because right now this GPO applies to all client PC's and there are many users whose profiles are large enough that I wouldn't want them to have to wait every morning for 10 minutes while the whole profile gets sent over the network. But I'm willing to Enable this item if somebody thinks it'll be a valid testing option.  (or I might just do it anyway and see what happens, but any thoughts on the subject are welcomed)

    Also on a side note (I guess to anyone from Microsoft or an IT Professional), when did Technet get so "user friendly?"  To the right of the field I'm typing in now is a big ol' helpful Step 3 of 6 window telling me how to post.  Why, in an IT Pro forum, is this here?  :) have you ever met an IT Pro that didn't know how to post in a forum? 

    Thanks to anydoby that can offer anything, even a simple "yeah Microsoft confirmed they'll never fix this", which appears to be the case based on the duration of this problem stemming back to 2006 or so.  PS:  I"m putting this in the Windows Server/Group Policy subforum in the hopes that more domain-oriented users can reply but again I'm happy to hear from anybody with suggestions. 

    Tuesday, October 19, 2010 8:19 PM

Answers

  • Hello viProCon,

    What is the exact error message in the event viewer?

    Does this issue exist on all users or just some of them?

    If roaming profile has already existed on the server, please make sure roaming profile owner is user itself and user has full controll to access roaming profile.

    I suggest you try to install the latest service pack and hotfix on the Vista computers first, and then try the following KB:

    A temporary user profile is created every time that you log on to a Windows Vista-based computer that is connected to a domain
    http://support.microsoft.com/kb/940453

    A temporary profile is loaded after you log on to a Windows Vista-based system
    http://support.microsoft.com/kb/947242

    >The only reason is because right now this GPO applies to all client PC's and there are many users whose profiles are large enough that I wouldn't want them to have to wait every morning for 10 minutes while the whole profile gets sent over the network.

    To decrease initial logon time to a new computer, I suggest you follow the best practices for romaining user profile below:

    Best Practices for User Profiles
    http://technet.microsoft.com/en-us/library/cc784484(WS.10).aspx

    Profile and Folder Redirection In Windows Server 2003
    http://www.windowsnetworking.com/articles_tutorials/Profile-Folder-Redirection-Windows-Server-2003.html

    >Why, in an IT Pro forum, is this here?  :) have you ever met an IT Pro that didn't know how to post in a forum? 

    If everyone can follow the step 3 of 6 in Ask a question windows, we are able to save a lot of time to isolate the problem and avoid unnecessarily repetitive work.

    If the problem persists, please enable userenv log for Windows Vista and upload it to SkyDrive for further research, then let me know your upload link.

    userenvlog for Windows Vista/2008/Win7
    http://blogs.technet.com/b/mempson/archive/2010/01/10/userenvlog-for-windows-vista-2008-win7.aspx

    Brent


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ” 

    • Marked as answer by viProCon Tuesday, October 26, 2010 8:51 PM
    Monday, October 25, 2010 7:30 AM
    Moderator

All replies

  • Hello viProCon,

    What is the exact error message in the event viewer?

    Does this issue exist on all users or just some of them?

    If roaming profile has already existed on the server, please make sure roaming profile owner is user itself and user has full controll to access roaming profile.

    I suggest you try to install the latest service pack and hotfix on the Vista computers first, and then try the following KB:

    A temporary user profile is created every time that you log on to a Windows Vista-based computer that is connected to a domain
    http://support.microsoft.com/kb/940453

    A temporary profile is loaded after you log on to a Windows Vista-based system
    http://support.microsoft.com/kb/947242

    >The only reason is because right now this GPO applies to all client PC's and there are many users whose profiles are large enough that I wouldn't want them to have to wait every morning for 10 minutes while the whole profile gets sent over the network.

    To decrease initial logon time to a new computer, I suggest you follow the best practices for romaining user profile below:

    Best Practices for User Profiles
    http://technet.microsoft.com/en-us/library/cc784484(WS.10).aspx

    Profile and Folder Redirection In Windows Server 2003
    http://www.windowsnetworking.com/articles_tutorials/Profile-Folder-Redirection-Windows-Server-2003.html

    >Why, in an IT Pro forum, is this here?  :) have you ever met an IT Pro that didn't know how to post in a forum? 

    If everyone can follow the step 3 of 6 in Ask a question windows, we are able to save a lot of time to isolate the problem and avoid unnecessarily repetitive work.

    If the problem persists, please enable userenv log for Windows Vista and upload it to SkyDrive for further research, then let me know your upload link.

    userenvlog for Windows Vista/2008/Win7
    http://blogs.technet.com/b/mempson/archive/2010/01/10/userenvlog-for-windows-vista-2008-win7.aspx

    Brent


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ” 

    • Marked as answer by viProCon Tuesday, October 26, 2010 8:51 PM
    Monday, October 25, 2010 7:30 AM
    Moderator
  • Hehe thanks Brent.  Admittedly I was a bit on the frustrated side when I wrote my post, so I apologize for my mild sarcasm.  After having used the forum a bit more now I actually think it's quite good.  Also your ifnormation is excellent and I will review all of it fully.  You guys are great at providing follow-up info beyond just the minimum and that's one reason I will trust in this forum for future questions.  

    In terms of the questions you've asked me, I'll consdiered them but probably it would be best if I take the time to review all the stuff you've linked in here, as well as some stuff I've been provided from a couple of other related threads of mine and then see where I am at afterwards. 

    Thank you once again.

     

    Tuesday, October 26, 2010 8:54 PM
  • Hello Viprocon

    You're Welcome, I'm glad to hear your feedback.

    Brent


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”
    Wednesday, October 27, 2010 3:20 AM
    Moderator