Windows 2008 Terminal Server Mandatory profile error

Posted on 2009-04-25
Last Modified: 2013-11-21
I have implemented the mandatory profiles in W2K8 TS using , the following group policies .
Computer config > Admin template > Windows Components > terminal Services > terminal Server > profiles
" Set Path for TS roaming User profile  & Use mandatory profile on the terminal Server "
If I login using an Administrator account everyting works fine . ( Profile loads from the defined path & get removed when logoff)
But if I login using a normal user account , it through the following error ,
"group policy client service failed to login access is denied" and logoff from the system

The following events are logged in App event ,
Log Name:      Application
Source:        Microsoft-Windows-Winlogon
Date:          26/04/2009 3:39:46 PM
Event ID:      6004
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
The winlogon notification subscriber <GPClient> failed a critical notification event.
Log Name:      Application
Source:        Microsoft-Windows-Winlogon
Date:          26/04/2009 3:39:50 PM
Event ID:      6001
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
The winlogon notification subscriber <Sens> failed a notification event.

Need help !!
Question by:thecavalry
    LVL 1

    Accepted Solution

    I have had a similar problem and I believe I have a solution.  Windows 2008 is cranky if you don't create the mandatory profile based on a local profile using the System Properties>User Profiles>Copy procedure.

    I will spare you the details of what I did wrong (using Explorer to copy a local profile, rename NTUSER.DAT to NTUSER.MAN, set folder permissions, etc.).  Using this approach, I would consistently get the Group policy client service failed to login. Access denied for every user login attempt except the one whose profile I used as the basis for creating the mandatory profile.

    Follow these steps to create a mandatory profile on Windows 2008 Terminal Server:

    1.  Create a test account (e.g. TestUser) that has permissions to login to the TS.  Do not set a path for a TS profile (e.g. \\TermSrvr01\TSProfiles\Mandatory\Inspection)
    2.   Log in to the TS as TestUser.  This will create a local profile under C:\Users\TestUser
    3.   Modify the desktop icons, background, etc. like you want for the mandatory profile.  Log out.
    4.   Log in to the TS as Administrator
    5.   Open System Properties (Windows + Break keys);
    6.   Click on the Advanced System Settings link. Click on the Advanced tab.
    7.   Under User Profiles, click the Settings button.
    8.   From the profile list, highlight the local profile for TestUser.  Click the CopyTo button.
    9.   Under Copy Profile to, type the path to a non-existent folder that will contain the mandatory profile.  You must append .V2 to the folder name.  In my example:  \\TermSrvr01\TSProfiles\Mandatory\Inspection.V2
    10. Under Permitted to use, click the Change button.
    11. Click "Objects Types" button and check the Group checkbox.
    12. Under Enter the object name, enter a security group that TestUser is a member. Click OK.
    13. Click OK to start the copy (the folder with .V2 extension will be created).
    14. Browse to the mandatory profile folder; rename NTUSER.DAT to NTUSER.MAN.
    15. Done.
    16. Important note!  When assigning the TS profile path to user accounts DO NOT include the .V2 extension on the folder path.  In my example: \\TermSrvr01\TSProfiles\Mandatory\Inspection


    Expert Comment

    You ripper!  This worked.  I've been struggling this issue for months.  2008 does get cranky very easy!

    Featured Post

    How does your email signature look on mobiles?

    Do your employees use mobile devices to reply to emails? With mobile becoming increasingly important to the business world, it is in your best interest to make sure that your email signature looks great across all types of devices.

    Join & Write a Comment

    Remote Desktop Protocol or RDP has become an essential tool in many offices. This article will show you how to set up an external IP to point directly to an RDP session. There are many reasons why this is beneficial but perhaps the top reason is con…
    On a regular basis I get questions about slow RDP performance, RDP connection problems, strange errors and even BSOD, remote computers freezing or restarting after initiation of a remote session. In a lot of this cases the quick solutions made b…
    This video is in connection to the article "The case of a missing mobile phone (". It will help one to understand clearly the steps to track a lost android phone.
    Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

    732 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now