Monday, 4 July 2011

How to fix Windows 7 logon error: “The Group Policy Client failed the logon. Access is denied.”

I have seen this particular error several times with Windows 7 and Vista and we are not helped by a lack of documentation from Microsoft for this problem.

In my case the most recent instance of this occurred when I had to drop and recreate a user account. The first time I got the error I tried deleting the local profile, deleting the server profile, giving the user administrative permissions on the laptop, you name it. In some instances instead of getting the above message the user would appear to log in as normal until “Preparing your desktop” then they would be logged out with no further explanation.

After a great deal of frustration I came across this helpful page and adapted the instructions to my situation and the problem is solved. Here is how I applied the steps:

  1. Start up Regedit on the affected computer
  2. Go to HKEY_USERS
  3. On the File menu click Load Hive
  4. Go to the folder of the affected profile and open NTUSER.DAT
  5. Name the new key e.g. Profile
  6. Right click this key and select Permissions
  7. Select Advanced
  8. Add the account of the user whose registry this is and give them Full Control and replace permissions for Child Objects with inherited permissions from this object.
  9. On the File menu click Unload Hive
  10. Close Regedit.

In this instance at Step 7 I found the SID of the previous user account had full control.

I still don’t have the foggiest idea why the new user account didn’t get the permissions assigned – how does this happen I have no idea. But it’s been a long day and time to go home.

FOOTNOTE: This all went well until I tried logging in the user on the Remote Desktop server – which picked up their new roaming profile, instead of the local one on their laptop (naturally), and threw the same error. To cut a long story short I had to repeat the steps on the server copy of the profile. Since this profile was created new, I don’t have any clue as to how the incorrect permissions got set in its NTUSER.DAT file.