none
The Group Policy Client service failed the logon. Access is denied. RRS feed

  • Question

  • Our campus has roaming profiles enabled. Server1 contains the users profile. Server2 contains the users user folder. 

    We have one user that is unable to login to some PCs in different parts of the networks. When she logs in she gets "The group policy client service failed the logon. Access is denied" then the PC says Logging Off. 

    She is able to login into other PCs with no problem. 

    Ive researched the issue and located a couple of posts that refer to this issue. However, the fixes that I see are registry edits. I would try those but dont want to have to do that for 100 computers for 1 user. 

    A little more environment info: Windows 2003/2008 DCs and Windows 7 clients. 

    Any thoughts? Thanks in advance. 

    Monday, October 10, 2011 5:45 PM

Answers

  • Hi,

    You need to modify the NTUSER.DAT registry hive via regedit.exe. Please follow the steps below.

    - open registry editor on the machine which stores the users profile (make sure you are logged in as administrator)
    - highlight HKEY_USERS
    - File -> Load Hive, browse to the location of failing roaming profile and open NTUSER.DAT file, click open
    - Under Key Name, enter any name you like, but remember what you have entered, eg.: enter "Vista"
    - Expand, HKEY_USERS, you should see new registry hive called "Vista" or any name you entered earlier
    - Right click on that "Vista" hive and choose permissions
    - Confirm that the following users have permissions:
    - Administrators: Full Control
    - SYSTEM: Full Control
    - User (or group) that owns this profile: Full Control
    - if permissions were wrong, correct them, then click on Advanced tab
    - on Advanced tab and enable "Replace permission entries on all child objects with entries shown here that apply to child objects" and click Apply
    - highlight "Vista" registy hive, then click on File -> Unload Hive to release handle on NTUSER.DAT file.

    http://support.microsoft.com/kb/146050/en-us

    If she still receive this kind of message, I suggest you to delete her profile and re-create one for a test. Her profile may be already corrupted.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”
    Wednesday, October 12, 2011 7:56 AM
    Moderator

All replies

  • Hi,

    You need to modify the NTUSER.DAT registry hive via regedit.exe. Please follow the steps below.

    - open registry editor on the machine which stores the users profile (make sure you are logged in as administrator)
    - highlight HKEY_USERS
    - File -> Load Hive, browse to the location of failing roaming profile and open NTUSER.DAT file, click open
    - Under Key Name, enter any name you like, but remember what you have entered, eg.: enter "Vista"
    - Expand, HKEY_USERS, you should see new registry hive called "Vista" or any name you entered earlier
    - Right click on that "Vista" hive and choose permissions
    - Confirm that the following users have permissions:
    - Administrators: Full Control
    - SYSTEM: Full Control
    - User (or group) that owns this profile: Full Control
    - if permissions were wrong, correct them, then click on Advanced tab
    - on Advanced tab and enable "Replace permission entries on all child objects with entries shown here that apply to child objects" and click Apply
    - highlight "Vista" registy hive, then click on File -> Unload Hive to release handle on NTUSER.DAT file.

    http://support.microsoft.com/kb/146050/en-us

    If she still receive this kind of message, I suggest you to delete her profile and re-create one for a test. Her profile may be already corrupted.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”
    Wednesday, October 12, 2011 7:56 AM
    Moderator
  • Thank you for the response sorry took so long to get back on this. I didnt see this post before, since we just gave the user a new username. However, I did locate a different solution that worked for me. 

    I logged in as an Administrator. 

    When to system properties > clicked User Profiles >  clicked the Default user account > clicked Copy To > Selected the Users profile and then gave them permission to it.

    Thursday, August 9, 2012 11:14 PM
  • Hi,

    Except domain admin for all domain users while logging in error message "The Group Policy client service failed the logon. access is denied" appearing.

    We have followed the solution from Juke Chou article.

    Now after input of UN & Password again it is going to ctrl+alt+del screen

    issue not resolved but planning to recreate profile

    Saturday, January 25, 2014 6:59 AM