locked
gpsvc service failed the sign-in - Windows 10 Roaming profiles RRS feed

  • Question

  • We have a huge problem with windows 10 and roaming profiles.

    We do not use any GPOs for roaming profiles, we only use ActiveDirectory with a user profile path to map the share

    We used windows 7 with no issues, now we are moving to windows 10

    Once a user logs into windows 10, their .v6 profile is created (they still have the .v2 for win 7) and it seems to work great.

    however, once they have a .v6 profile, they are unable to log onto any other windows 10 boxes, which results in a "The gpsvc service failed the sign-in. Access is denied."

    if I grant them local admin, they do log in, it takes forever, but then loads to a black screen, with non stop explorer.exe crashes

    with the black screen, UNC'ing into the PC the shell of the user profile is there, but no files, info, etc.


    • Edited by Rderenzy Thursday, August 31, 2017 6:17 PM
    Thursday, August 31, 2017 5:16 PM

Answers

  • Its done - finally - it was cyberark

    thank you for all who assisted with a response - here is my step by step

    I think I've ruled out GPO and custom image:

    Initial log in and built account/.v6 on H1673 (accounting OU, custom image)

    Logged onto H2956 (claims OU - custom image) - worked great, edited profile

    Logged onto 'profile test pc' (default OU/dvd image) worked great, edited profile

    Logged into H2956 (claims OU -custom image) worked great

    Logged into H1673 (accounting OU - worked great)

    This should rule out our image, and the GPOs

     

    What is common on the above PCs? They are base installs, windows and office only.

    *encryption is not the issue, half have, half do not

     

    After the above steps:

    On problem PC (can always get the error) - H1632(normal build, all apps) (default ou/ custom image) - I removed all apps (includes sophos and hidden cyber ark app - did not remove DT and vnc) and I WAS ABLE TO LOG IN (first time ever with a roaming profile) - I added 3 new items to the desktop and logged out.  Logged back in (no error)

     

    Removed test profile from H2956, logged in with test account - worked great.  Added file to desktop.

    Logged back onto H1632, no error, got all my desktop items

     

    Logged into H1632 with admin account, removed testroaming profile

    Logged back into H1632 (with no local profile), it built my profile and pulled down my profile (this is a first)

     

    *yesterday I removed all apps but sophos and cyberark and it let me log in, I started putting apps back to find the issue, so I installed logmein, pdf creator, air media and view.  After these were installed, I got the error and could not log in.  Thought it was one of those.  Removed those 4 again, and I still could not log in.  Not sure if it was a fluke that got me logged in - can't figure out that riddle - to further test this, today i……

     

    (with sophos and  cyber ark removed)

    Back on H1632 - Logged into my admin account, installed two apps via command line - View client and air media - rebooted

    Logged in with roaming profile - no issues

    Logged into my admin account, installed pdf creator and LogMeIn

    Logged in w/ my roaming profile - no issues

    Logged in with my admin to remove my local roaming profile

    Logged in with my roaming profile - worked great, no issues, pulled down files

     

    Installed cyber ark on H2956

    Logged in w/ roaming profile, logged in - loaded - no error

    Logged into H1632 w/ roaming - no issues

    Deleted my roaming user account from H2956

    Logged in w/ roaming profile - FAIL

     

    We have never seen this issue on windows 7

    Got two windows 7 test machines. Installed cyber ark on both machines.

    Logged into one with test roaming profile, logged out, logged onto the other machine - error, same result as windows 10

     

    It seems to be once you log off(syncing your roaming profile( with cyberark installed, it will no longer allow logon to a new PC and corrupts your profile.  Any contradictions should be disproved above.


    • Edited by Rderenzy Wednesday, September 6, 2017 5:51 PM
    • Marked as answer by Rderenzy Wednesday, September 6, 2017 6:54 PM
    Wednesday, September 6, 2017 5:50 PM

All replies

  • Hello,

    See if this registry manipulation helps you:

    https://www.kapilarya.com/windows-couldnt-connect-to-the-group-policy-client-service-windows-10

    Keep us posted, Good luck!

    Microsoft MVP (Windows and Devices for IT)

    Windows Insider MVP

    Windows Help & Support [www.kapilarya.com]

    Friday, September 1, 2017 5:44 AM
  • Hi,

    What's the meaning of " we only use ActiveDirectory with a user profile path to map the share"?

    First of all, after upgrade to Windows 10, please remember to update ADMX file of the Windows 10 on domain.

    And then check the permission of the gpsvc registry as the following guide:

    Fix: The Group Policy Client Service Failed the Logon

    https://appuals.com/fix-group-policy-client-service-failed-logon/

    Please Note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, September 1, 2017 6:51 AM
  • thank you both, I will check these links, sites

    to answer your questions - we do have win 10 admx and we gpo a lot of win10 customizations.  What I meant to say is we do not have any GPOs that cover roaming profile, the only roaming profile configurations we have is through AD, just mapped the profilepath to user account (no other customizations or settings via GPO related to roaming)

    hoping to dig into these sites soon!thank you all


    • Edited by Rderenzy Friday, September 1, 2017 4:05 PM
    Friday, September 1, 2017 1:58 PM
  • Hello,

    See if this registry manipulation helps you:

    https://www.kapilarya.com/windows-couldnt-connect-to-the-group-policy-client-service-windows-10

    Keep us posted, Good luck!

    Microsoft MVP (Windows and Devices for IT)

    Windows Insider MVP

    Windows Help & Support [www.kapilarya.com]


    This did not fix my issue, all of my PC have this reg key set to 2, thank you for helping
    Friday, September 1, 2017 2:59 PM
  • while going through guides, I have noticed that I do not have a gpsrv key under host - its replaced with netsvcs

    which is called from the image path, spsvc key - %systemroot%\system32\svchost.exe -k netsvcs

    everything I read it says it should be %systemroot%\system32\svchost.exe -k gpSVCgroup

    our windows 7 has that set that way, but! a base win10 dvd install sets it to netsvcs  - BUT contradicting, every article i'm seeing shows ti set as gpsvcgroup :(


    however, gpo works great and I remind that the error only prompts when a user has a .v6 folder to load
    • Edited by Rderenzy Friday, September 1, 2017 5:02 PM
    Friday, September 1, 2017 4:08 PM
  • Hi Rderenzy,

    This error also might be because missing permission on that user profile.

    Please turn off all of your anti-virus for test.

    And then login locate to the roaming user profile on Server share, check the permission.

    If all is fine, let's trace the user profile log for analysis:

    1. Execute the following command:
     
    logman -start profiletrace -p {eb7428f5-ab1f-4322-a4cc-1f1a9b2c5e98} 255 3 –ets

    2. Reproduce the "error" or whatever you want ( user logon etc.. slow, failed, failed unload etc.. )

    3. Stop the log: 
     
    "logman -stop profiletrace -ets"
     
    Note: profiletrace.etl will be located in the directory that logman -start was run.

    Then upload the log file to OneDrive, share the link here. 


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, September 5, 2017 10:30 AM
  • Hi Rderenzy,

    This error also might be because missing permission on that user profile.

    Please turn off all of your anti-virus for test.

    And then login locate to the roaming user profile on Server share, check the permission.

    If all is fine, let's trace the user profile log for analysis:

    1. Execute the following command:
     
    logman -start profiletrace -p {eb7428f5-ab1f-4322-a4cc-1f1a9b2c5e98} 255 3 –ets

    2. Reproduce the "error" or whatever you want ( user logon etc.. slow, failed, failed unload etc.. )

    3. Stop the log: 
     
    "logman -stop profiletrace -ets"
     
    Note: profiletrace.etl will be located in the directory that logman -start was run.

    Then upload the log file to OneDrive, share the link here. 


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    hello, thank you Karen, i'm excited to try this

    here are the log files, I've combed through them and none say fail or failed

    https://1drv.ms/f/s!AnhKQ98Gw5CMfbzu6ENKr5xNOJU

    I'm hoping this leads to the issue because i'm at a loss now :(

    more info here - it seems to make a difference where the .v6 file is created from. if its created from a typical domain PC, another domain PC gets the error - however if its a clean PC w/ no applications, it works (kinda).  further more, if I use a clean PC and then log onto a PC w/ a ton of apps, it crashes.  I removed all apps and I got it to work.  Put a few apps back and it failed, so I removed the apps again but still fails - so its all over the place.

    I have two PCs here with only office installed and the two PCs roam my profile great!

    but as soon as I get that "can't log in error" it breaks everything and can no longer log in anywhere

    I do notice on the PCs that seems to work, the default user folder is only like 1.5 mb, where the normal network PC is 10mb.  We do strip out windows 10 apps from the base image

    hoping the logs turn out, just wanted to add that piece.

    **update

    I think I've ruled out GPO and custom image:

    Initial log in and built account/.v6 on H1673 (accounting OU, custom image)

    Logged onto H2956 (claims OU - custom image) - worked great, edited profile

    Logged onto 'profile test pc' (default OU/dvd image) worked great, edited profile

    Logged into H2956 (claims OU -custom image) worked great

    Logged into H1673 (accounting OU - worked great)

    This should rule out our image, and the GPOs

     

    What is common on the above PCs? They are base installs, windows and office only.



    • Edited by Rderenzy Wednesday, September 6, 2017 2:36 PM
    Tuesday, September 5, 2017 1:25 PM
  • i'm very confident its CyberArk, our EPM system, that Is causing this issue, I will have more later today

    Wednesday, September 6, 2017 4:45 PM
  • Its done - finally - it was cyberark

    thank you for all who assisted with a response - here is my step by step

    I think I've ruled out GPO and custom image:

    Initial log in and built account/.v6 on H1673 (accounting OU, custom image)

    Logged onto H2956 (claims OU - custom image) - worked great, edited profile

    Logged onto 'profile test pc' (default OU/dvd image) worked great, edited profile

    Logged into H2956 (claims OU -custom image) worked great

    Logged into H1673 (accounting OU - worked great)

    This should rule out our image, and the GPOs

     

    What is common on the above PCs? They are base installs, windows and office only.

    *encryption is not the issue, half have, half do not

     

    After the above steps:

    On problem PC (can always get the error) - H1632(normal build, all apps) (default ou/ custom image) - I removed all apps (includes sophos and hidden cyber ark app - did not remove DT and vnc) and I WAS ABLE TO LOG IN (first time ever with a roaming profile) - I added 3 new items to the desktop and logged out.  Logged back in (no error)

     

    Removed test profile from H2956, logged in with test account - worked great.  Added file to desktop.

    Logged back onto H1632, no error, got all my desktop items

     

    Logged into H1632 with admin account, removed testroaming profile

    Logged back into H1632 (with no local profile), it built my profile and pulled down my profile (this is a first)

     

    *yesterday I removed all apps but sophos and cyberark and it let me log in, I started putting apps back to find the issue, so I installed logmein, pdf creator, air media and view.  After these were installed, I got the error and could not log in.  Thought it was one of those.  Removed those 4 again, and I still could not log in.  Not sure if it was a fluke that got me logged in - can't figure out that riddle - to further test this, today i……

     

    (with sophos and  cyber ark removed)

    Back on H1632 - Logged into my admin account, installed two apps via command line - View client and air media - rebooted

    Logged in with roaming profile - no issues

    Logged into my admin account, installed pdf creator and LogMeIn

    Logged in w/ my roaming profile - no issues

    Logged in with my admin to remove my local roaming profile

    Logged in with my roaming profile - worked great, no issues, pulled down files

     

    Installed cyber ark on H2956

    Logged in w/ roaming profile, logged in - loaded - no error

    Logged into H1632 w/ roaming - no issues

    Deleted my roaming user account from H2956

    Logged in w/ roaming profile - FAIL

     

    We have never seen this issue on windows 7

    Got two windows 7 test machines. Installed cyber ark on both machines.

    Logged into one with test roaming profile, logged out, logged onto the other machine - error, same result as windows 10

     

    It seems to be once you log off(syncing your roaming profile( with cyberark installed, it will no longer allow logon to a new PC and corrupts your profile.  Any contradictions should be disproved above.


    • Edited by Rderenzy Wednesday, September 6, 2017 5:51 PM
    • Marked as answer by Rderenzy Wednesday, September 6, 2017 6:54 PM
    Wednesday, September 6, 2017 5:50 PM