JakeCourtney
asked on
Windows 7 on 2003 Server Domain - "The Group Policy Client service failed the logon. Access is denied"
I've got a Windows 2003 server as the domain and I've got a network of about 60 Vista stations. We're getting ready to roll out Windows 7 stations soon.
As a test I took a newly formated Windows 7 station and added it to the domain. It took the domain without error, but if I try to use a domain profile to login with it fails out with, " The Group Policy Client service failed the logon. Access is denied"
I've tried this with multiple profiles and it does the same thing. However, I can login just fine using the domain administrator account.
Using that account I was able to install the new group policy AD on that local machine that let me get in and edit the group policy.
So I'm now stuck on how to get these profiles to login correctly without receiveing that error message. I think if I remember right I had this same error message a long time ago when I was first doing this with Vista.
I've tired just deleting the user profile and that doesn't work, so it has to be the group policy.
I've got a global group policy that applies itself to "Authenticated Users" and then another one that applies to a User GPO.
What steps should I be taking here? Is there something I need to install on 2003 sever to get this to work? I could probably copy and paste the current group policy settings if that would help.
As a test I took a newly formated Windows 7 station and added it to the domain. It took the domain without error, but if I try to use a domain profile to login with it fails out with, " The Group Policy Client service failed the logon. Access is denied"
I've tried this with multiple profiles and it does the same thing. However, I can login just fine using the domain administrator account.
Using that account I was able to install the new group policy AD on that local machine that let me get in and edit the group policy.
So I'm now stuck on how to get these profiles to login correctly without receiveing that error message. I think if I remember right I had this same error message a long time ago when I was first doing this with Vista.
I've tired just deleting the user profile and that doesn't work, so it has to be the group policy.
I've got a global group policy that applies itself to "Authenticated Users" and then another one that applies to a User GPO.
What steps should I be taking here? Is there something I need to install on 2003 sever to get this to work? I could probably copy and paste the current group policy settings if that would help.
mrmarkfury
Have you checked the Event Viewer on the test machine? It should be reporting an error...
ASKER
Just looked.
User Profile Service - Windows cannot load classes registry file. DETAIL - The system cannot find the file specified.
Winlogon - The winlogon notification subscriber <GPClient> failed a critical notification event.
A logon was attempted using explicit credentials.
Subject:
Security ID: SYSTEM
Account Name: 1ACCTIVITIES7$
Account Domain: GSHQ
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-0
Account Whose Credentials Were Used:
Account Name: jake_test
Account Domain: GSHQ
Logon GUID: {0f6d7e49-6855-40fc-3d4a-9
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x13a8
Process Name: C:\Windows\System32\winlog
Network Information:
Network Address: 127.0.0.1
Port: 0
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled
An account was successfully logged on.
Subject:
Security ID: SYSTEM
Account Name: 1ACCTIVITIES7$
Account Domain: GSHQ
Logon ID: 0x3e7
Logon Type: 2
New Logon:
Security ID: GSHQ\jake_test
Account Name: jake_test
Account Domain: GSHQ
Logon ID: 0xf0cc51
Logon GUID: {0f6d7e49-6855-40fc-3d4a-9
Process Information:
Process ID: 0x13a8
Process Name: C:\Windows\System32\winlog
Network Information:
Workstation Name: 1ACCTIVITIES7
Source Network Address: 127.0.0.1
Source Port: 0
Detailed Authentication Information:
Logon Process: User32
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
These are a few events from the Local machine right after attempting to sign in with a profile.
User Profile Service - Windows cannot load classes registry file. DETAIL - The system cannot find the file specified.
Winlogon - The winlogon notification subscriber <GPClient> failed a critical notification event.
A logon was attempted using explicit credentials.
Subject:
Security ID: SYSTEM
Account Name: 1ACCTIVITIES7$
Account Domain: GSHQ
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-0
Account Whose Credentials Were Used:
Account Name: jake_test
Account Domain: GSHQ
Logon GUID: {0f6d7e49-6855-40fc-3d4a-9
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x13a8
Process Name: C:\Windows\System32\winlog
Network Information:
Network Address: 127.0.0.1
Port: 0
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled
An account was successfully logged on.
Subject:
Security ID: SYSTEM
Account Name: 1ACCTIVITIES7$
Account Domain: GSHQ
Logon ID: 0x3e7
Logon Type: 2
New Logon:
Security ID: GSHQ\jake_test
Account Name: jake_test
Account Domain: GSHQ
Logon ID: 0xf0cc51
Logon GUID: {0f6d7e49-6855-40fc-3d4a-9
Process Information:
Process ID: 0x13a8
Process Name: C:\Windows\System32\winlog
Network Information:
Workstation Name: 1ACCTIVITIES7
Source Network Address: 127.0.0.1
Source Port: 0
Detailed Authentication Information:
Logon Process: User32
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
These are a few events from the Local machine right after attempting to sign in with a profile.
Why don't you try putting this computer in an OU with no group policy settings, then running gpupdate /force and restarting. Then test with both a normal AD account and a domain admin account and see what the results are.
ASKER
I've created a OU for just the Windows 7 workstations, but there is a main domain policy that is getting passed to all Authenticated Users.
I'm not sure how I can make it filter out and not apply to the Windows 7 OU.
I'm not sure how I can make it filter out and not apply to the Windows 7 OU.
ASKER
Are there any updates or hot fixes for the Windows 2003 server that I should be looking for? I have Windows Sever 2003 SP2, but not the new RC version.
You can block inheritance on the OU with the Win7 workstation by right clicking and choosing block inheritance. I would suggest you do this as a test, then we go from there.
ASKER
I installed every update I could find for the 2003 Server and I've got it working with the majority of the profiles.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
In safe mode remove all profiles under the advanced user profile properties then try logging in as the user. If it logs in as a temp profile, then go back to safe mode and open regedit. Remove all .bak profiles listed under "HKEY_LOCAL_MACHINE\SOFTWA
Try this and let me know if it works for you.
Try this and let me know if it works for you.