2

Steps to recreate the issue... (Windows 2008 Server - DC, and Windows 7 as the client box)

1) Create a new user in the domain.
   Example: user1
2) Set the user's "Remote Desktop Services User Profile" to a network path.
   Example: \\myserver\profiles\bullpin
3) Logon with user1 to the remote desktop (SERVER_A), then create a new shortcut to a web page.
   Example: http://google.com -> Named: Google
4) Logout with user1.
5) Create a new user in the domain.
   Example: user2
6) Set the user's "Remote Desktop Services User Profile" to the same network path.
   Example: \\myserver\profiles\bulpin
7) Logon with user2 to the remote desktop (SERVER_A).  YOU SHOULD GET AN ERROR!
   ERROR: "The Group Policy Client service failed the logon.  Access is denied"

Update:

My answer below fixed the issue and everything seemed to work fine. Now I'm looking to find out how can I avoid this in the first place? Without having to change permissions while the error is still up (in the 30 seconds is lasts). Can I change the key's permissions before the user tries to log on?

Note: If I have to load the profile in the hive under HKEY_USERS manually please explain how.

Thanks!

Arvo Bowen
  • 795
  • 5
  • 15
  • 33

4 Answers4

2

Digging for answers on the web, in logs, etc. I found some interesting things out...

Looking in the log (Windows Logs->Application) of SERVER_A I found the following 2 entries...

1) The winlogon notification subscriber <GPClient> failed a critical notification event.
2) The winlogon notification subscriber <Sens> failed a notification event.

Then reading around I got the idea to look into another log on SERVER_A (Applications and Services Logs->Microsoft->Windows->User Profile Service->Operational) and found these entries...

1) Recieved user logon notification on session 1.
2) Registry file C:\Users\user1\ntuser.man is loaded at HKU\S-1-5-21-2420121206-1056658499-602520278-4624.
3) Registry file C:\Users\user1\AppData\Local\Microsoft\Windows\\UsrClass.dat is loaded at HKU\S-1-5-21-2420121206-1056658499-602520278-4624_Classes.
4) Finished processing user logon notification on session 1.
5) Recieved user logoff notification on session 1.
6) Finished processing user logoff notification on session 1.

Wondering what the heck it ment to "load" a user's profile into the registry I started messing around and found that the registry hive (Run->regedit.exe, or Windows Key+R->regedit.exe) on SERVER_A had a key called "HKEY_USERS". Inside that I could NOT find the referenced GUID!!! So Looking into things I had an idea. Try to connect to the remote desktop as usual, get the error message, BUT DO NOT CLICK OK ON THE ERROR. Just let it sit there. Very quickly (because it times out soon) I hopped over to SERVER_A and refreshed the registry with F5 and sure enough the GUID entry showed up!!! Before that logon error message timed out I right clicked on the GUID "HKU\S-1-5-21-2420121206-1056658499-602520278-4624" and went to "Permissions" and found that this was the problem...

My original user1 has rights to that key (HKU\S-1-5-21-2420121206-1056658499-602520278-4624) but there was no sign of user2!

So to resolve the issue I did the following...

Before the logon error timed-out I quickly updated the permissions to REMOVE the user1 entry and added a group that I had called "BullPin" which was a group created with user1 and user2 in it.
Arvo Bowen
  • 795
  • 5
  • 15
  • 33
2

I was facing same problem while connecting win 2008r2 RDC.

The Group Policy Client service failed the logon. Access is denied.

I fixed the issue by deleting particular user's folder in C:\Users.

Reaces
  • 5,547
  • 4
  • 36
  • 46
Bhavik
  • 21
  • 1
1

This fix worked for me: Rename roaming profile of user with .OLD suffix.

In all computers with the problem, login as ADMIN, right click COMPUTER > PROPERTIES > ADVANCED SYSTEM SETTINGS > USER PROFILES > delete the local profile of the offending user.

Logout and log back in with user, should be fine.

Tom Wilkinson
  • 11
  • 1
0

There should be no problem at all if you specify different RDS user profile paths. When users login their ntuser.dat file is mounted (loaded) as HKU\<SID of user>\... . When the user logs off the hive is unmounted (unloaded) and all changes are written back to the user's ntuser.dat in the profile share.

The SID in HKU consists of the domain's unique id + a relative id (RID) provided by the domain's RID Master. See FSMO Roles for more detail.

From time to time unloading the user's registry has its flaws thus possibly causing the RDS profile to go corrupt.

megamorf
  • 161
  • 7
  • By "specify different RDS user profile paths" I'm guessing you're saying NOT to have more than one user on a given profile. That is NOT the effect I'm going for. If I misunderstood I apologize, but I'm looking to have multi users on the same profile. – Arvo Bowen Aug 04 '13 at 17:24
  • But that is not how RDS profiles work. All files of user profile have one owner plus the ACL for the user that give him all the necessary permissions. When the user logs on the ntuser.dat of the profile is loaded under his SID. When multiple users have the same RDS profile path windows will run into errors because of mapping/ACL issues. RDS profiles are not designed for multi-user usage. – megamorf Aug 04 '13 at 17:30
  • I could see how that would cause issues. In my case the users are not writing anything back to the profile, just reading. I'm using mandatory profiles. The object was to simply have all the user pull from the same mandatory profile as a template, when they save something to their desktop as soon as they log off *poof* it's gone. – Arvo Bowen Aug 04 '13 at 17:35