The Group policy client service failed to logon – access denied
This blog will show you, at least one solution, to the error that you might encounter when logging on to a Windows desktop. Setting up environments often also brings back errors on a regular basis, some errors are just daft human mistakes – mine and some you just know you’d seen it before but can’t remember what it was.
This error was one of both. I was building a new environment yesterday, this time for 2000 laptop users. I had created a mandatory profile and was testing that when I ran into the group policy logon error.
The error I got was The group Policy Client service failed the logon. Access is denied.
What is the error saying?
The error as I read it is saying that something related to the group policy is preventing me from logging on.
I need to explain our set up a bit otherwise you will be lost soon.
- We had our laptops connected to the network but didn’t get most of the policy.
- We created a separate OU without policies. The only policy we got was the drive encryption one, that was mandatory.
- In that non-policy environment we setup RES Workspace Manager to manage the User Environment.
- With that inevitably comes a user profile, at this moment they used roaming profiles… bah.
- We decided to use mandatory profiles for the users for UEM will take care of the settings in that profile. We don’t need to save anything in the profile.
- I created a profile, the same way I always do, and loaded it up to RES to get it distributed to the laptops.
If you need a good step-by-step guide to creating a profile, read this blog ; http://www.robinhobo.com/how-to-create-a-mandatory-profile-with-folder-redirections/
So we had the mandatory profile running, distributed and ready to go and somehow we got the error.
Remember I said we worked in a clean environment, no policies got to us before we created one to point to the mandatory profile.
So that got me thinking, the only thing we changed in the environment is that one group policy to assign the mandatory profile. If the group policy client service is having issue surely that’s where to look.
P.s. I didn’t have time yesterday to create screenshots so I’using one from Robin’s blog.
I loaded the NTUSER.MAN file and checked out the permissions.
I forgot to set the permissions, the users had absolutely no permissions to use the profile. No wonder I got the error.
Fixing the error like Robin’s blog says fixed the reason for this issue…. hibernation fixed, profile fixed… bring on the next challenge.
It’s just a small thing to fix but when you are working in a more complex environment you might not instantly see the reason for this error. We had only one change here but in a production environment several changes might blur your view.
Creating profiles is not a difficult task but needs to be done precisely to avoid issues like this. Hope this blog will help someone some day.