Domain PCs denying logon - Group policy error shown?
Posted on 2010-09-14
Bit of a strange one that I cannot find any answers to on the net.
PCs that were working fine a few days ago have stopped users being able to log on, showing the error below:
"The Group Policy Client service failed the logon. Access is denied."
Adding the user to local admins allows logon as a short term fix but this is undone shortly afterwards. Checking the administrators group on the PC shows an unresolved SID. have removed this and added to local admins again but it appears to repeat itself again a day or so later.
Checking event logs shows the following:
"The winlogon notification subscriber <GPClient> was unavailable to handle a critical notification event."
"The winlogon notification subscriber <GPClient> failed a critical notification event."
I've checked GPOs applied and none of them are setting local admins, although even if it was it shouldnt leave an unresolved SID behind.
As a test, we removed the unresolved SID and didnt add the user back into local admins and the user was able to log in fine.
The users were local admins but are no longer listed.
An unresolved SID is listed, removing it lets the user log on.
There are GPclient errors in the event logs.
I've looked around the internet and found suggestions relating to removing and readding user profiles and even reinstalling windows.
This is affecting a large number of users so messing around on each PC isnt really an option.
Server:SBS 2008 SP2.
2003 domain functional level.
Single DC holding all FMSO roles.
Clients:Windows XP & Windows 7 machines are experiencing the issue. Not all machines are affected.