none
the group policy service failed the logon - Domain Admin unable to Login RRS feed

  • Question

  • Hi guys,

    Im having abit of a problem with some servers on our domain, they are all windows server 2008 R2. as of this morning when I attempt to login to any of the servers as a domain admin I get the following error message.

    the group policy service failed the logon

    Access Denied.

    Im not aware of any changes on our network over the weekend, partly because it would have be me making them so I can discount a faulty update / config from someone else, but so far im unable to login to the majority of our windows 2008 R2 servers, but interestingly I can still login to the Active Directory Domain Controller which is windows 2008 R2, and all of my server 2003 systems.

    Can anyone offer any help on what this problem might be and how to fix it? I have seen a lot of posts on the MS Forums about Windows Vista and 7 getting this and it involves re-creating a profile, but im lothe todo that on all of our servers right now as it doesnt seem to be profile specific (as some servers are happy to log me in others wont).

    Kris

    Monday, March 19, 2012 8:51 AM

All replies

  • Can you login with any other domain ID or local ID apart from the domain admin which you are using earlier on the problem server.

    http://blog.ronnypot.nl/?p=183

    http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/9bc23129-568a-4c7d-9f94-419307a0d544/

    Is both the server pointing to only local DNS server only and time is in sync with the DC. Also, can you post the relevant error event id with details.


    Awinish Vishwakarma - MVP-DS

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Monday, March 19, 2012 9:05 AM
    Moderator
  • Hi all of our servers use an internal DNS server that is setup on our main domain controller, I dont have another admin account i can login with to see if they work or check the time on the servers..

    I have however managed to get the event log messages from a server that will not log me in. I have also renamed the users Profile folder from c:\users\and tried to log back in

    The winlogon notification subscriber <GPClient> failed a critical notification event. Event ID : 6004

    Windows cannot load classes registry file. DETAIL - The system cannot find the file specified. Event ID : 1542

    Monday, March 19, 2012 9:39 AM
  • Can you login to the local ID and just perform dis-join and rejoin for one of the server and lets see how it proceed from the here. How these machine are prepared i mean did you use any cloning tool or image software?

    http://support.microsoft.com/kb/979495


    Awinish Vishwakarma - MVP-DS

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Monday, March 19, 2012 9:59 AM
    Moderator
  • Im not able to-do the dis-join and re-join work right now as the server is a production terminal server and this would generate problems for my users, I can however attempt to-do this later on tonight around 7pm GMT and report back on the results.

    the machines were cloned in VMware from a single server that was configured to-do the work, and then started up individually and configured to ensure there was no conflicts with any of the others and have been running like this seamlessly for over a month.

    Monday, March 19, 2012 10:18 AM
  • Also, try to deploy the hotfix referred in the earlier post. If machine are cloned, did you use in-built sysprep utility to assign new unique SID to the machine. I guess the problem is due to SID conflict.

    http://technet.microsoft.com/en-us/library/cc783215%28v=ws.10%29.aspx


    Awinish Vishwakarma - MVP-DS

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Monday, March 19, 2012 10:25 AM
    Moderator
  • Hi Im fairly sure sysprep was run on each of the servers as they were cloned and brought into service but i cannot be sure as a third party support company did the work for us, one of their engineers is due on site shortly to investigate a seperate hardware issue we are experiencing so when he arrives i can speak with him and confirm if this was the case, Im also hoping he will be able to investigate and resolve this problem for us.

    Either way when I have spoken to the engineer I will update this post to confirm what has happened and if its been resolved.

    Kris

    Monday, March 19, 2012 10:50 AM
  • Hi Im fairly sure sysprep was run on each of the servers as they were cloned and brought into service but i cannot be sure as a third party support company did the work for us, one of their engineers is due on site shortly to investigate a seperate hardware issue we are experiencing so when he arrives i can speak with him and confirm if this was the case, Im also hoping he will be able to investigate and resolve this problem for us.

    Either way when I have spoken to the engineer I will update this post to confirm what has happened and if its been resolved.

    Kris

    Just to confirm from our engineers that Sysprep was run on the servers after they were cloned to ensure each server had a new SID assinged to them.

    Kris

    Monday, March 19, 2012 4:02 PM
  • Hi,


    I'd like to confirm there is no Symantec product installed.


    For details:


    Release notes for Symantec AntiVirus 10.2 Client for Vista and Windows Server 2008
    http://www.symantec.com/business/support/index?page=content&id=TECH102297&locale=en_US


    Please try to perform the following steps to test:


    =>open registry on the server (make sure you are logged in as administrator)

    => highlight HKEY_USERS

    =>Click on file menu -> Load Hive, browse to the location of failing roaming profile and open ntuser.dat file, click open

    =>This will open the registry editor and will load the ntuser.dat.

    => Under Key Name, enter any name you like, but remember what you have entered, Example.: “Test hive”

    =>Expand, HKEY_USERS, you should see new registry hive called "Test Hive" or any name you entered earlier

    => Right click on that "Test Hive" hive and choose permissions

    => Confirm that the following users have permissions:

                - Administrators: Full Control
                - SYSTEM: Full Control
                - User (or group) that owns this profile: Full Control ( We would need to add the users which are using the Grade 6 profile)

    => if permissions were wrong, correct them, then click on Advanced tab

    =>on Advanced tab and enable "Replace permission entries on all child objects with entries shown here that apply to child objects" and click Apply

    => highlight "Test Hive" registry hive, then click on File -> Unload Hive to release handle on NTUSER.DAT file.


    For details:


    Managing Roaming User Data Deployment Guide
    http://technet2.microsoft.com/WindowsVista/f/?en/library/fb3681b2-da39-4944-93ad-dd3b6e8ca4dc1033.mspx


    This is an old article, but it gives you an idea of how to change permissions in NTUSER.DAT files:
    Modifying Ntuser.dat Hive So New Users Get Defined Settings
    http://support.microsoft.com/kb/146050/en-us


    Registry Hives
    http://msdn2.microsoft.com/en-us/library/ms724877.aspx

     

    Hope this helps!


    Best Regards
    Elytis Cheng

    Hope this helps!


    Best Regards
    Elytis Cheng


    Elytis Cheng

    TechNet Community Support


    Tuesday, March 20, 2012 5:08 AM
    Moderator
  • Just to confirm that this problem has now been resolved.

    The acutal problem was to-do with the administrator having a roaming profile due to a mis configured group policy. the roaming profile that was stored on the servers was corrupted. by removing this profile from the server and then removing the roaming profile from the file server logging back into the server this resolved the issue.

    to clarify i tried what was suggested by Elytis Cheng and this had no impact on the problem.

    • Marked as answer by Kristiaan_d Friday, March 30, 2012 8:04 AM
    Friday, March 30, 2012 8:04 AM