How to fix "The Group Policy Client service failed the logon. Access denied." error?


I stumbled into this error while logging on to one of my machines with my domain account. I searched at “bing” and “google” for help but unfortunately did not find any so after several trial and error, I managed to fix this issue. I am posting it so if any of you run into it, you could give the following a try and if you are lucky hopefully this will work for you.

1. Logon to the machine with a machine administrator account (assuming this issue is with a domain account, if not logon to the machine using another account with administrative privilege).

2. Move the machine to a workgroup from domain. (If it was part of one workgroup then change it to another one or join a domain.) You could do this through Control Panel\System and Security\System and then Change Settings.

3. Restart the machine and logon with a machine administrator account.

4. Delete your user profile data (or move it a different location) completely from c:\users. “C” in my case is system directory but if you have a different one then use that one.

5. Join the machine back to domain account (or to workgroup that the machine was originally joined to), and restart the machine.

6. Logon with your domain account that you were having trouble with. Keep fingers crossed.

If all goes well, you should be logged on.

Since this error may happen under different conditions so the above may not be a solution for all but if it helps even a single soul, I would consider my time writing this blog worth spent.

Cheers,

Mohammad

Comments (80)

  1. Dan McLoughlin says:

    I'm going to try this out. I will let you know how it goes. Thanks for the post.

  2. Marius says:

    Same issue.  But we can't afford to move our users into Workgroup and Back into Domain. There must be a different soluiton.

  3. Jason says:

    Keep it simple.

    Remotely connect the to drive holding the profile with an administrative account, i.e. \Servernamec$

    Delete the profile of the user that is failing to logon.

    Problem solved. Investigate what caused the corruption.

  4. Souman says:

    I deleted profile,but it didnt changed anything,Same error for the user.

  5. Katie says:

    I can't get past that screen to be able to get to the control panel. It gives me that same error message and when I click ok it says logging off then brings me back to the welcome screen that allows me to click on my profile (which is the only profile on the computer) if I click it, its a vicious cycle of the same thing. I am fine wiping it clean if possible. Just anything to have it working again!!

  6. Robert says:

    Katie

    If you do a Ctrl-Alt-Del on the welcome screen, it should give you the option to type in a user. Try Administrator .

  7. latoya says:

    Ok what if I only get the start up screen, how can I get to the control panel. It just will not let me past the login screen..

  8. lm says:

    My CPU is doing this but I only have the one a count ony CPU how do I fix it the plz hellp¡!!!!!!

  9. MKB says:

    We are having this issue, but only have one account (Administrator) on the unit.  Cannot get into the control panel at all.

  10. MM says:

    I'm having the same issue and have tried a lot of solutions involving modifying or deleting profiles (none of which have worked).  Lastly, I tried to completely remove user profiles (of which I only had one) which resulting in skipping the login screen but being prompted with another error, and being left at a blue blank screen (presumably after the O/S is loaded). From this screen I can use Ctrl+Alt+Del but cannot access the task manager as I am presented with the same error message that comes up when the O/S is trying to load (the application was unable to start correctly (0xc0000022)).

    I had restore points prior to this issue, but once the issue occurred, they disappeared.  I have only the one user profile, so it seems I am stuck.

    Any advanced help would be appreciated as I do not have the Windows 7 discs available to perform a clean instal.

  11. yinka says:

    Easiest way is to go to C:Users<the user account> then delete NTUSER.DAT.

  12. zhudc says:

    Easiest way is to go to C:Users<the user account> then delete NTUSER.DAT. —can't delete this file

  13. Jacob says:

    Have you tried renaming the NTUSER.DAT to NTUSER.MAN?

  14. Read says:

    I got this same error while loging in, but then I was able to login immediately after. Should I be concerned?

  15. Grumz says:

    We found that if you just reboot it a couple of times, it will allow you to get logged in. However… it's not a good fix. There's definitelly something going on and it ain't just profile related. Deleting profiles on Win 7 x6 isn't quite as easy as XP. But I'm hoping that this fixes it:

    social.technet.microsoft.com/…/3d446f6c-9d91-45e4-88a5-603828f6f09c

  16. Nisar says:

    If the problem was with the machine then it wouldn't allow any other domain account to login. Also the same user account having the same error on another machine on the same network.

    Note "the user can login the to the RDP session but not locally on the machine on the same server.

  17. vikram says:

    This is right solution to this problem. I have not even deleted any profiles, but it worked

  18. Kris says:

    This is a horrible solution to the problem and hasn't fixed my issue but I had to try it. My machine is not on a domain and the issue is the DEFAULT profile is messed up. When I go to services.msc the "Group Policy Client" is set to "Automatic" however it fails to start and says "stopped" instead of "started". I'm working on a way to get the services started….and yes I am using the administrator account to try and start the service.

  19. Ana says:

    What I did was: Unplug the computer from the electricity source.  After a couple of seconds, start the computer and the first screnn gave me the option to  press F11 for Recovery.  I set the Recovery time for 2 weeks ago when I had to user profiles, I had to logon to the non-administrator user profile and access my documents from the administrator user files. Under the "Computer" folder, in the C: drive, folder Users, Administrator.

  20. Instead, I suggest you try the following:

    – Restart the computer.

    – Login with an administrative account (not the account that is having the problem).

    – Rename the ntuser.dat file (to something like ntuser.old1) for the user that is having the problem (C:Users%username%ntuser.dat).

    – Log off and login with the user account, a temporary profile should be created.

    – Log off and login with the previous administrative account.

    – Open REGEDIT and go to: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionProfileList

    There should be a profile under that key that has .bak after the SID number (e.g. S-1-5-21-245852018-2450494779-245611912-1000.bak).

    – Select the key and check the ProfileImagePath string value relates to the correct user then delete the SID key (that ends with .bak).

    – Restart and login with the affected user account, they should be able to login now.

  21. Chris W says:

    I did the regex on a Windows 7 Starter netbook and it worked.

  22. JCISD says:

    Is there any other way to fix it besides a dis-join and rejoin?

    Does anyone know what causes it?

  23. bill v says:

    My fix was to remotely remove the domain profile in c:usersbadprofile with delprof2 /?, this is handy for RDP environments especially when the profile gets corrupted and you want to clean reg and folder of a profile.

  24. Renee says:

    We'll it work but what I suppose to do with the old user profile

  25. Matt says:

    Delete the profile in the same way you would on Windows 7. i.e. Delete C:Usersusername and delete Reg key HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionProfileListUNIQUE SID for user.

  26. CI says:

    I can't get past that screen to be able to get to the control panel. It gives me that same error message and when I click ok it says logging off then brings me back to the welcome screen that allows me to click on my profile (which is the only profile on the computer) if I click it, its a vicious cycle of the same thing. !! If I do a Ctrl-Alt-Del on the welcome screenI nothing happen!!!! Please HELP me!!!

  27. VINAYAK RAJARAM KADAM says:

    login with local administrator

    rename c:user{user id problem}ntuser.dat  ntuser.dat.old

    CREATE  NEW  USER

    login with new user

    COPY ntuser.dat   c:user{user id problem}ntuser.dat

    now you can login

    thank you:hariomsai7@gmail.com

    my.opera.com/…/blog

  28. S says:

    For the vicious cycle issue…restart and press the Fwhatever key to get into system restore and restore back to a point it was working. That was the ONLY way I could get in to do a dskchk

  29. m says:

    s*** microsoft !!!! you coudnt handle fu**ing exception

  30. JDJIRE johnydarius@gmail.com says:

    It worked  GREAT.IF U EVER HAVE TROUBLE TO DELETE NTUSER.DAT, TRY THIS FIRST:

    1 LOG IN IN SAFE MODE WITH NETWORKING …

    2-GO TO USER ACCOUNT AND CREATE NEW USER ACCOUNT WITH ADMINISTRATOR SKILLS

    3-SWITH TO NEW USER ACCOUNT

    4 GO TO YOUR EXPLORER AND DELETE THE NTUSER.DAT

    5-REBOOT AND THAT'S IT!

  31. Ronyel says:

    but if you have an ONE user account what should i do?

    user account that have gp client service failed to log on.

  32. paddy says:

    hi i cant try anything because when it loads up and you click on the login picture to goes to the the group policy client service failed notice when you click on the ok it goes back to the logon picture and so on can you help please

  33. eliegk says:

    The driver solution was the best. It works every time to all similar issues, including unable to logon because of a failed "Login Service service".

  34. seanisduke says:

    I can tell you that there were 4 restore points saved after Windows Updates, all in the same day. That is when all my issues started. The restore Points are bad and they Fail when attempting to Restore. So, I believe Microsoft created this issue when it did the system updates. I did notice the label of .NET something or other in the restore point names.

  35. Waseem says:

    Renaming or deleting user profile in C drive will Resolve this issue.

    I have had same issue. Issue resolved!

  36. Gurdeep Shanaia says:

    Gets stuck at login saying :the group policy client service failed the logon access is denied what to do ???

  37. Kesarvani says:

    Hi,

    I am facing the same issue.Have gone through all the blogs but no use.I have only one account and that itself is giving error.All the solutions provided here are considering you are able to login to the machine or u have access to the run prompt.here in my case i do not have access to it as i am not able to login on machine only.

    I tried to login using safe mode but even that didnt allow me to login in system.does anybody have any steps to follow on how to login and fire which commands and where in safe mode or other.

  38. Steve says:

    I have found a solution…

    ***But if this F's your stuff up, you've been warned, not my fault.  It worked for me.  Windows 7 that accepted some BS update that gave my system a grand mal seizure***

    First get your computer to command prompt

    – while the 'puter is booting press F"Whatever" (for me F8) to get to the Advanced Boot options.

    – Choose "Repair your computer"

    – Get through the langue option, a login – Yes a login – fear not, use your username that is giving you problems and the correct password, and then you'll see a System Recovery Options window (Score!) with five options.

    – Click on command prompt

    You're in like Flynn.

    However you're going to notice you're in X:  To get to C:  Just type C: and press enter.  cd C:  will get you looping back to X: every time.

    Next bit is the important part.  You want to run a command:

    REN "C:UsersENTER THE BAD USER NAME HEREntuser.dat" "ntuser.dat.old"

    This is what this does:

    REN – rename command

    "C:UsersENTER THE BAD USER NAME HEREntuser.dat"  – points the computer to the user folder of the bad user name, specifically the ntuser.dat file in that folder

    "ntuser.dat.old" – the new name of that corrupted file which will now be hidden to the demons the Windows update brought to your quite OS.

    once this runs, type exit

    This gets you out of command and back to the System Recovery Options, so restart…and upon restarting login…hold on to your butts…It took my system a little longer than I thought but it took the horse pill and runs.

    You might also see that you are now a temporary user.  This is annoying if you hope to have anything save to this user profile… Just setup a new user and transfer files from the old user folder.

    Good luck!

  39. Deby says:

    yinka  

    20 Mar 2013 5:38 AM

    #

    Easiest way is to go to C:Users<the user account> then delete NTUSER.DAT.

    ***This worked! Remotely ran to the c$ and found the user having the problem, deleted the file and all was well. Just had to make sure I was going to the C: while logged in as an admin.

  40. Ganesh says:

    you are going to heaven.. for this post. Thanks.

  41. Lomanov says:

    Please please i cant reach the login screen. we cant talk of control panel or c drive or any access, im locked out!!! i have a windows server R 2008 , this server doesnt allow me to reach e login screen its stuck at ' waiting for group policy client' . this is the domain controller for my network, u can tell my system is  locked out till i get this solved.   i tried to remove network cable, shut it down completely overnight, force replication from other servers its not working. Please help me out.

  42. Sridhar says:

    @Jason : Thanks for the Solution, that worked for me well..Thank you Very Much!!

  43. the0ldm4n says:

    Ok, I'm normally a macuser (don't hate me!) I don't think any of you really addressed the issue of what to do if this is yr only account? This is so much BS and I'm not super clever so HELP!!!!

  44. Mohammad says:

    @the0ldm4n: You will need another machine that is on the same network (or could access the machine in trouble). On the second machine, you should press WindowKey + R, this will start a run window. You should then type "\<machinenamethatishavingissue>c$" and then hit Enter. If you could connect to the machine, then it will prompt you for your credential. Enter the credential. This will take you to File explorer. Go to "Users" folder and then delete the profile name that would appear as a folder. Once you are done, you can go back to the machine with issue and login, hopefully you would then be able to login.

  45. tch5 says:

    I had this problem with one admin user on my PC.  I ran system restore to an earlier restore point. Fixed the login problem, but probably not the cause of the problem.

  46. Rushabh says:

    Same issue but it has happened it the admin account. What do I do?

  47. Matt says:

    After trying system restore, checkdisk and sfc, it came to this.

    1 – I logged in as admin, copied off the contents of the user's folder.

    2 – Removed the computer from the domain.

    3 – Deleted the user's account folder from the c:Users directory.

    4 – Removed the user's profile key from HKLMSOFTWAREMicrosoftWindows NTCurrentVersionProfileList

    5 – Readded the computer to the domain.

    6 – Logged in successfully as the user.

    7 – Copied the contents of the user's profile (from step 2) over to the fresh profile folder.

  48. ChrisS says:

    I had the same "Group policy…access denied" problem.  My issue turned out to be the user's roaming profile.  The user having the problem couldn't log onto any machine but was someone who had left and then returned.  I deleted the roaming profile and allow the logon process to created a new one.  Working fine. Very similar to deleting the local profile but I wanted to add my experience in case it helps.  

  49. vamsi says:

    hai

    you told to logon to the machine using admin account i had only single account and it is showing the above message, what i am asking you is i cant logon to the account even for a single time also to do the operations u mentioned

  50. Daniel Abel says:

    Sir/Ma, what of a personal system tha is not connected to domin.I have bee following all the suggetion given as solution to the issue but it failed to work for pc that is not connected to the domin please help am have 100 of such issue to delivery for lecture who thesssis materials are stucked help in time.

  51. Daniel Abel adeyemibelly22@hotmail.com says:

    Sir/Ma, what of a personal system tha is not connected to domin.I have bee following all the suggetion given as solution to the issue but it failed to work for pc that is not connected to the domin please help am have 100 of such issue to delivery for lecture who thesssis materials are stucked help in time.

  52. Sam M. says:

    I'll be as concise as possible.  I have a system that isn't joined to any domain, and it has one local admin account.  That's the only account on the system  How would you go about addressing this issue?

  53. Jane says:

    This guy is saying that it's because the ACLs get corrupted on the group policy cache folder and you can just reset them. I guess rejoining the PC to the domain does the same thing, but this might be a quicker fix if it works for you:

    http://www.itsupportforum.net/…/the-group-policy-client-service-failed-the-logon-access-denied

  54. sam says:

    Ok everyone calm down! Firstly I like to thank this forum to help me understand tht my computer is not fully fukd!!!  Ok now comeing back to story, I won't talk abt all nerdy stuff like domine link client server remote acceses n change root directry or watever!  Wat I'm gona do is giv step by step instructions for anyone who knw basic usage of a laptop.

    Let's say this is ur own computer n u were stupid lik me to hav jus one user account(not even guest login) which is obviously administrator and u faceing this error… wat u hav to do is,

    Step1. Press n hold power button in ur laptop till it switchesoff

    Step2. On ur lap again. Now ull see few options like safe mode, start windows normaly etc… in this screen u hav to select " safe mode with network" option

    Step3. Ur windows will start n take u to login, u enter ur password and it will login properly n take u to ur desktop.

    Step4. Go to control panel. Select " user accounts" option.

    Step5. In tht screen press " manage another account" option.

    Step6. Select " creat new user" option and makesure u give admunistrator rights to this new account.

    Step7. Restart and login with ur new account.

    Step8. Go to c: select folder named users, select admin ( ur previous account tht won't login) and inside tht folder ter will be file tht ends with ".dat" I think its ntuser.dat.   u hav to delete tht mothafkr. :p

    Step9: restart ur computer n login with ur main account and u will be granted access!!!!!  

    I'm sure ud wana hug me but its cool, always glad to help 🙂

    PS: don't freakout wen u see a black desktop with stupid wallpaper n apparently all files n pics u had in desktop is gone!!!! They r not deleted, they r still in ur c:/users/admin.    

    Your welcome! 😉

  55. Chris Gavin says:

    This different angle may help find the root cause: We have this on our Virtual Environment VMWare/Windows 7 Enterprise. The VM's are rebuilt at every logoff so no changes are saved – this also means the problem is account/roaming profile related – the machine template is common to thousands of staff. Once a staff member has the issue it will not go away until every step below has happened. The first step (not mentioned) is to change the password

    To fix –

    • Open up Active Directory as Admin and find user account

    • Add to an alternative Pool (security group) (ie Pool A if already assigned to Pool B CCC-VDI-PA)

    • Add a space to K drive UNC path then delete the space and click apply

    • Add a space to the account name then delete the space and click apply

    (Answer yes to apply permissions)

    • Rename profile extension to .old

    Logon to alternative Pool – this should work. At this point because the profile has been renamed a new profile will be created. Once logged on, log off again

    • Remove from alternative Pool

    Logon to original Pool – this should work. The staff member can now log on but has a new profile

    (It is now necessary to extract any files/folders from the old one to put in the new

    Some common places: desktop, pictures, favourites, downloads, videos, music,

    Inside roaming: Microsoft

    Outlook will need to be set up again, check auto correct lists, signatures, archive email files are present as required)

    Let me know your thoughts

    C 🙂

  56. evi says:

    Only Steves  and debys solution worked for me life saver thanks  a lot   , but the f8 button needs good timing

  57. sdhughdshghpwsdeg says:

    ejkkejkjdkikeidkerh[qpo3erpqpowrjqjekke jen iejrjkkeirqweppowjrpoqwjr qwojorje rjoejgjejgjweo[ghwdehjowejhwejgojewg jm

  58. Naz62 says:

    Similar to Chris Gavin’s situation, but using VirtualBox instead VMWare.  The Virtual Windows 7 X64 in a workgroup with user’s roaming profile on a network drive. I used the following steps to correct the problem.

    • Logged on with the Administrator Account.

          Run regedit

             1.  Load the User Hive

                    Highlight HKEY_USER

                              File -> Load Hive

                                 Navigate to the user’s roaming profile directory

                                 Double click on NTUSER.DAT

                                 Give it a name; this same name must be used later.

             2. Export the users Hive

                      Highlight the  just load hive

                          Right click -> Export

                          Save into the Desktop or folder of your choice.

             3. Rename the user’s NTUSER.DAT (Just in case…)

             4. Have the user logon and then immediately logoff

     This creates a new NTUSER.DAT based on the default profile.

             5. Restore the user’s settings

                     Load the User Hive

                           Highlight HKEY_USER

                                File -> Load Hive

                                Navigate to the user’s roaming profile directory

                                Double click on NTUSER.DAT

                                Use the same name as used in step 1

             6. Import the registry saved in step 2

                      File -> Import

                            Navigate to Desktop or folder you saved the registry file.

                            Double click on registry file

                            You should see successful import.

              7. User can now logon with all their setting restored.  

  59. N0nsense says:

    We have solutions, anyone know the cause??? I don't believe it's profile related!

  60. Loganathan says:

    Delete user profile and try.. It works

  61. NotRetarded says:

    As info, any time you can't delete a user profile, it's usually because it's in use and you need to reboot.

  62. Rob says:

    All these lose access to the data etc and appear to be little different to just deleting and creating a new profile with the same name

  63. Kiran kumar says:

    Same issue is coming in my previous after trying more times I finally opening the desktop but if I want to click any pc setting and control panel and pc properties also not opened. And the system is hanged for every 10 seconds. So please give solution.

    With regards,

    Kiran Kumar

  64. Ed says:

    Delete the ntuser.dat for user profile worked on Vizta.

  65. Harold says:

    Thanks, this is just what i was looking for and it resolved my issue.

  66. Mar says:

    But what's that problem? Cuz I've got the same problem, except I can't logon to any account unless in safe mode.

    Any suggestions? I'd appreciate it if someone replied, thanks 🙂

  67. Lakshay says:

    This solved the issue for me:-

    1.when it dosnt log on, press and hold the power key

    2.the system is hard power off

    3.then start again it ask you wether to start in safe mode

    4.choose yes

    5.computer shud start in safe mode

    6.create additional administrator from control panel

    7.shutdown and log on with them 🙂

    Hope this solved your issue too

  68. Anonymous says:

    Nobody has an answer for the person who has just one account to use to logon with, and they are getting the error when using that one ID.

  69. Anonymous says:

    My computer is password protected how do I pass through the login screen because it's  not logging me in

  70. Anonymous says:

    I made a new user with administrator rights, then I restarted the computer, I can login with the new account but it says the same as the user with the login problem.

    Cannot make any connection with the Group Policy Client-service.

    Because of this problem, the computer is very, very slow.

    So in my case, it has a new user account, but the problem remains.

    Any one that can help me?

  71. Northbayteky says:

    1. Log in as a local admin

    2. Open up System Properties (sysdm.cpl)

    3. Go to Advanced tab and choose Settings under User Profiles

    4. Find the profile for the account that can't log in and delete it. This deletes the profile folder and registry key for you.

    If losing data from the profile is the issue, you can still retain that data as long as you are logged in as an administrator. Many different ways to do this, either take ownership or copy the profile to a network share before you delete it in the correct way. (Computer>Properties>Advanced System Settings>User Settings…)

  72. satish says:

    I had  same issue and it if fixed by deleting the old profile. I followed the Jason recommendation.

  73. Bhavik says:

    Hello, i was facing same problem while connecting win 2008rs rdc -"The Group Policy Client service failed the logon. Access denied."   i fixed the issue by deleting particular user accounts folders in C:Users .

    Thanks

  74. Nuwan says:

    I'm still looking for the problem, but I have a domain account that wont logon to ANY domaincomputer, except my own machine, so with roaming profile there is a big problem.

    One hint is that the problem persistst in the roaming folder of the profile map.

  75. ITdude says:

    like others have said this solution is like using a sledge hammer as a can opener. Just go int o C:Users and delete the affected user's profile (make sure to backup any important files or favorites in the folder first if you can), and then have the user log in again. Done.  

  76. Willie says:

    After deleting the user profile you need to also delete the user profile from the registry.  HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionProfileList

  77. Qiang says:

    Rename profile NTUSER.DAT to NTUSER.DAT.OLD worked for me. Thanks.

  78. Kareem Eleseely says:

    it is google chrome. the following post say so

    egyptianvulture.blogspot.com/2016/01/the-true-reason-behind-group-policy.html

  79. Jack says:

    Or you could just go in the cmd window and type "netsh" then…."winsock reset"…. then restart. That simple!

  80. Mcharo Blaze says:

    For those with just one account… take your harddrive connect it to a working machine as secondary…or slave,,,, after booting and the harddrive is visible, go to users and delete or rename the NTUSER.DAT.

    Then fix the harddrive back to its machine and restart

    skype mcharo.blaze