none
Windows cannot connect to Group Policy Client upon logon RRS feed

  • Question

  • 1 Computer in 2003 R2 domain is giving the "Windows cannot connect to Group Policy Client Service" error upon logon of local admin and domain admins.  Cannot get group policy to update gpupdate /force = user update failed & computer update failed.  Gpresult /r = access denied.  I have tried restarting service, disabling anti-virus, uninstalling anti-virus, sfc /scannow, checked DNS on servers, configured alternate static IP on client, still nothing.  Have not tried re-attaching to domain yet.  Other services are working that require connection to servers such as AD replication, WSUS updating, SEPM 12 updating.  Have seen similar issues on sites but most answers relate to DNS issue, I have not had any problems with any other similar clients and DNS in this domain.  Any ideas would be appreciated! 
    Friday, November 9, 2012 12:00 PM

All replies

  • Perhaps the Group Policy forum would be better platform for this problem. But before you move there, try:

    1. Test the response of nslookup when querying RR.

    2. Look into Event log for exact error message (for both, workstation and domain controller)

    3. Analyze network communication between workstation and domain controller.

    PS:

    a. How does confoguration differ from other workstations?

    b. Hope you do not have IP address of public DNS in DNS IP list.

    Rgds

    Milos

    Friday, November 9, 2012 5:34 PM
  • Sorry about post location, but did not know there was a group policy forum for Windows 7.  This seems like more of an issue with the client operating system particularly the gpsvc service.  

    Answer to your suggestions:

    1.  I did not perform nslookup.  The client and group policy server are both on site, I only pinged replication servers from the client as well as opened browser and navigated to GP host server to confirm ability to browse to Sysvol.  AD connectivity looking good, ping good.

    2.  Event logs on server show no issue regarding GP, network connectivity or DNS.  The event viewer on client shows GP service starting and unable to connect.

    3. As stated in 1.) can connect from client to server through browser, can ping server.  Can get AD updates, WSUS updates and anti-virus updates.  Reconfigured client with static IP address that has no other entry in DNS to make sure that there was no IP conflict.  Other than that workstation is set up as all other workstations are.  Public DNS in DNS IP list?  Would that not effect all workstations on network?

    Friday, November 9, 2012 7:01 PM
  • Hi,


    First, if you want to check the group policy forum, you can refer to the following link:

    http://social.technet.microsoft.com/Forums/en-US/winserverGP/threads


    In addition, here are some similar thread for your reference:


    Failed to Connect "Group Policy Client Service" Windows 7 x64

    http://social.technet.microsoft.com/Forums/en-US/w7itproui/thread/0530dd95-0979-4bb1-8edc-fa3abb48abf6


    After restarting i get a message saying that Windows could not connect to the Group policy client service

    http://social.technet.microsoft.com/Forums/en-GB/winserverGP/thread/5b44a384-5ebc-4f93-80b7-a2d44ed4018a


    Hope this helps.


    Vincent Wang

    TechNet Community Support

    • Marked as answer by Leo HuangModerator Friday, November 23, 2012 1:47 AM
    • Unmarked as answer by jmhhatch01 Monday, January 14, 2013 8:15 PM
    Tuesday, November 13, 2012 3:15 AM
    Moderator
  • None of those solutions worked or are applicable.  This is one Windows 7 machine in a in a Windows Server 2003 R2 domain having this issue.  The error even pops up when not connected to the domain through wired or wireless connection.  So there must be something on the client not allowing this service to run.  However when I try to restart the group policy service, every option to stop or re-start or stop is greyed out.  When I run GPupdate /Force the update fails.  When I run RSOP on the admin profiles for the machine I get Access Denied.  Same when I run GPResult.   
    Monday, January 14, 2013 8:20 PM
  • I FOUND SOLUTION TO THIS PROBLEM! I already posted solution in other threads. It looks like a very wide-spread issue caused by crash during reboot initiated by Windows Update.  I am re-posting here, I am pretty sure this will fix your problem.

    I had this issue on my laptop since November, and it really bugged me.  I sifted through the event log and found the pattern of events that preceded the issue, and, probably, caused it.

    In short, the pattern is as follows: Windows updates run automatically as scheduled, and when reboot is initiated after the updates are finished, the computer crashes (probably during reboot sequence).  When it boots up, it reports that the last shutdown was unexpected, and the issue begins to occur.

    I spent 2 days trying to dig out a solution from the Internet, to no avail, until I came across this page.  It doesn't say anything about this particular problem, but it gives more information about SVCHOST process that starts many services, including Group Policy Client.  It looks like during reboot a vital registry settings were lost during crash and Group Policy Client "doesn't know" how to start.  Let me explain:

    There are two places to look in the registry:

    1. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services this path should contain gpsvc key (a folder), which is responsible for service parameters and configuration.  I found that the key was intact, so, you do not touch anything here - just check that the key exists.
    2. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SVCHOST This is the most important path you should look into, as it must contain the keys and values referred in the key #1.  Below are descriptions what must be present there.
    • There must be Multi-String value called GPSvcGroup. My laptop was missing it.  So, you should create multi-string value named GPSvcGroup and assign it value GPSvc.
    • Next, you must create a key (a folder) and name it GPSvcGroup - this key normally should be there, but, again, it was missin on my laptop.
    • Then open newly-created GPSvcGroup folder and create 2 DWORD values:
    1. First called AuthenticationCapabilities and you must give it a value of 0x00003020 (or 12320 in decimal)
    2. Second is called CoInitializeSecurityParam and it must have value of 1.

    Once you complete all steps above, reboot the computer and the problem will be fixed.

    Here is the link to the video walkthrough if you have any troubles understanding what has to be done: http://youtu.be/4m5KEmckWK4

    I am so relieved I was able to fix it, and hope this will help others with the similar issue.

    • Proposed as answer by SQL-ER Saturday, February 16, 2013 6:07 AM
    • Edited by SQL-ER Sunday, February 17, 2013 8:49 AM
    Saturday, February 16, 2013 6:07 AM
  • SQL-ER: Can't express how grateful I am :)

    Thank you so much!

    I spend a couple of weeks fighting this issue, which actually resulted into a not-working firewall, which blocked all incoming connections and significantly longer bootup.

    Kudos!

    Monday, March 4, 2013 11:04 AM
  • Hi,

    perfect solution for my issue. Thanks for sharing your knowledge.

    Markus

    Thursday, May 23, 2013 9:17 PM
  • Thanks :) 

    Great vid :DD 

    Saturday, July 6, 2013 8:26 AM
  • Thanks! this solution worked like a charm for me!
    Tuesday, October 8, 2013 7:52 PM
  • How can I fix it if I can't login at all?? no other profiles.
    Monday, January 19, 2015 9:12 PM
  • Thanking you so much. Worked for me :-)
    Wednesday, January 21, 2015 11:05 PM
  • THANKS! Works in Windows 10. Had this issue crop up after an update. Also had it in 8.1 and used the same fix.
    Friday, September 11, 2015 1:19 AM