Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Domain PCs denying logon  - Group policy error shown?

Posted on 2010-09-14
7
Medium Priority
?
2,460 Views
Last Modified: 2012-05-10
Bit of a strange one that I cannot find any answers to on the net.
PCs that were working fine a few days ago have stopped users being able to log on, showing the error below:
"The Group Policy Client service failed the logon. Access is denied."

Adding the user to local admins allows logon as a short term fix but this is undone shortly afterwards. Checking the administrators group on the PC shows an unresolved SID. have removed this and added to local admins again but it appears to repeat itself again a day or so later.

Checking event logs shows the following:
"The winlogon notification subscriber <GPClient> was unavailable to handle a critical notification event."
"The winlogon notification subscriber <GPClient> failed a critical notification event."

I've checked GPOs applied and none of them are setting local admins, although even if it was it shouldnt leave an unresolved SID behind.
As a test, we removed the unresolved SID and didnt add the user back into local admins and the user was able to log in fine.

To confirm:
The users were local admins but are no longer listed.
An unresolved SID is listed, removing it lets the user log on.
There are GPclient errors in the event logs.

I've looked around the internet and found suggestions relating to removing and readding user profiles and even reinstalling windows.
This is affecting a large number of users so messing around on each PC isnt really an option.

Server:SBS 2008 SP2.
2003 domain functional level.
Single DC holding all FMSO roles.
Clients:Windows XP & Windows 7 machines are experiencing the issue. Not all machines are affected.
0
Comment
Question by:Steve
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
7 Comments
 
LVL 8

Expert Comment

by:psychogr
ID: 33670304
make sure your client pcs have your domain controller as the only dns server.
Try manualy updating Group policy on client machines (gpupdate /force)

if unresolved, try rejoining the client machines back to domain..
0
 
LVL 27

Author Comment

by:Steve
ID: 33670379
The single DC is the only DNS entry.

Gpupdate /force doesnt resolve the issue.

We cannot rejoin such a large amount of PCs to the domain without knowing if this will fix it. Could you be more specific on how this may resolve the issue?
0
 
LVL 5

Expert Comment

by:Blake_1
ID: 33671173
How about on the DC, what errors are displayed there in the System event log - any relating to Netlogon?
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 27

Author Comment

by:Steve
ID: 33673781
Hi Blake_1,

There are no warnings or errors in the application or system event logs on the DC (other than unrelated ones about printers etc)
0
 
LVL 5

Expert Comment

by:Blake_1
ID: 33677351
I would try re-adding a single machine to the domain to see if that resolves the issue.  It sounds as though a GPO may be corrupted or something along those lines.
0
 
LVL 8

Expert Comment

by:psychogr
ID: 33698920
I had some issues with unresolvable sids and rejoining the client to the domain did the trick..
Very important: Before rejoining the machine to the domain you must make sure that no domain account are left on the local machine..
You can always check with one client pc and if it works you should do the same thing with every other problematic machines..

Also you must double check event logs specifically security logs for strange behavior..
0
 
LVL 27

Accepted Solution

by:
Steve earned 0 total points
ID: 33732568
Thanks All.

I was unconvinced that rejoining so many of the PCs to the domain would be a very viable solution but tried an individual PC just in case. Didn't work....

As advised above, there were no events on the DC relating to this and the only evidence was on the PCs event logs.

In the end I ran a chkdsk on the servers drive and used esentutil to repair the active directory and it seems to have resolved it.

http://www.windowsnetworking.com/kbase/WindowsTips/Windows2000/AdminTips/ActiveDirectory/UseEsentutlwhenNtdsutiltoolfailstorepairtheActiveDirectorydatabase.html

Has been running for a few days with no problems at all.
Thanks for the suggestions guys!


0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question