Windows 7 on 2003 Server Domain - "The Group Policy Client service failed the logon. Access is denied"

JakeCourtney
JakeCourtney used Ask the Experts™
on
I've got a Windows 2003 server as the domain and I've got a network of about 60 Vista stations.  We're getting ready to roll out Windows 7 stations soon.  

As a test I took a newly formated Windows 7 station and added it to the domain.  It took the domain without error, but if I try to use a domain profile to login with it fails out with, " The Group Policy Client service failed the logon. Access is denied"

I've tried this with multiple profiles and it does the same thing.  However, I can login just fine using the domain administrator account.

Using that account I was able to install the new group policy AD on that local machine that let me get in and edit the group policy.

So I'm now stuck on how to get these profiles to login correctly without receiveing that error message.  I think if I remember right I had this same error message a long time ago when I was first doing this with Vista.

I've tired just deleting the user profile and that doesn't work, so it has to be the group policy.

I've got a global group policy that applies itself to "Authenticated Users" and then another one that applies to a User GPO.

What steps should I be taking here?  Is there something I need to install on 2003 sever to get this to work?  I could probably copy and paste the current group policy settings if that would help.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Have you checked the Event Viewer on the test machine? It should be reporting an error...

Author

Commented:
Just looked.

User Profile Service - Windows cannot load classes registry file. DETAIL - The system cannot find the file specified.

Winlogon - The winlogon notification subscriber <GPClient> failed a critical notification event.



A logon was attempted using explicit credentials.

Subject:
      Security ID:            SYSTEM
      Account Name:            1ACCTIVITIES7$
      Account Domain:            GSHQ
      Logon ID:            0x3e7
      Logon GUID:            {00000000-0000-0000-0000-000000000000}

Account Whose Credentials Were Used:
      Account Name:            jake_test
      Account Domain:            GSHQ
      Logon GUID:            {0f6d7e49-6855-40fc-3d4a-96d59fd979fd}

Target Server:
      Target Server Name:      localhost
      Additional Information:      localhost

Process Information:
      Process ID:            0x13a8
      Process Name:            C:\Windows\System32\winlogon.exe

Network Information:
      Network Address:      127.0.0.1
      Port:                  0

This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials.  This most commonly occurs in batch-type configurations such as scheduled

An account was successfully logged on.

Subject:
      Security ID:            SYSTEM
      Account Name:            1ACCTIVITIES7$
      Account Domain:            GSHQ
      Logon ID:            0x3e7

Logon Type:                  2

New Logon:
      Security ID:            GSHQ\jake_test
      Account Name:            jake_test
      Account Domain:            GSHQ
      Logon ID:            0xf0cc51
      Logon GUID:            {0f6d7e49-6855-40fc-3d4a-96d59fd979fd}

Process Information:
      Process ID:            0x13a8
      Process Name:            C:\Windows\System32\winlogon.exe

Network Information:
      Workstation Name:      1ACCTIVITIES7
      Source Network Address:      127.0.0.1
      Source Port:            0

Detailed Authentication Information:
      Logon Process:            User32
      Authentication Package:      Negotiate
      Transited Services:      -
      Package Name (NTLM only):      -
      Key Length:            0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
      - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
      - Transited services indicate which intermediate services have participated in this logon request.
      - Package name indicates which sub-protocol was used among the NTLM protocols.
      - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.


These are a few events from the Local machine right after attempting to sign in with a profile.
Why don't you try putting this computer in an OU with no group policy settings, then running gpupdate /force and restarting. Then test with both a normal AD account and a domain admin account and see what the results are.
How to Generate Services Revenue the Easiest Way

This Tuesday! Learn key insights about modern cyber protection services & gain practical strategies to skyrocket business:

- What it takes to build a cloud service portfolio
- How to determine which services will help your unique business grow
- Various use-cases and examples

Author

Commented:
I've created a OU for just the Windows 7 workstations, but there is a main domain policy that is getting passed to all Authenticated Users.  

I'm not sure how I can make it filter out and not apply to the Windows 7 OU.

Author

Commented:
Are there any updates or hot fixes for the Windows 2003 server that I should be looking for?  I have Windows Sever 2003 SP2, but not the new RC version.
You can block inheritance on the OU with the Win7 workstation by right clicking and choosing block inheritance. I would suggest you do this as a test, then we go from there.

Author

Commented:
I installed every update I could find for the 2003 Server and I've got it working with the majority of the profiles.
Commented:
Question PAQ'd, 500 points refunded, and stored in the solution database.
Jeremy TyreSystem Project Analyst

Commented:
In safe mode remove all profiles under the advanced user profile properties then try logging in as the user.  If it logs in as a temp profile, then go back to safe mode and open regedit.  Remove all .bak profiles listed under "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList".  

Try this and let me know if it works for you.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial