When you try to login to a domain local account and getting the error message
the group policy client service failed the logon. Access Denied
, that means there are issues with that particular account permission which you need to fix. Here are a few ways using which you can fix the issue:
Solution 1: Making Changes in Registry Editor
Take a full backup of the registry before trying the following steps:
System Properties > Advanced System Settings > Advanced TAB > User Profiles (Settings...) button> If you see the user in there, delete it too.
- Logoff as Local Admin and reboot. (Reboot not 100% necessary, but I usually do just in case)
- Login with domain username and you should be all set.
Solution 2: By Delete Profile Folder
If accounts in other domains are able to connect via RDP and a particular account doesn’t work, then do the following steps:
- Log in as a Local Admin.
- Open up System Properties (
sysdm.cpl
)
- Go to the Advanced tab and choose Settings under User Profiles.
- Find the profile for the account that can’t log in and delete it. This deletes the profile folder and registry key for you.
- Login from the same account.
Solution 3: By using Profile Services
- Open Services list by running the command
services.msc
in the RUN dialogue box.
- Locate
User Profile Service
and check it is running or not.
- If not, start it. That should resolve the issue.
Solution 4: Old Solution (Might not work)
- Logon to the machine with a machine administrator account (assuming this issue is with a domain account, if not logon to the machine using another account with administrative privilege).
- Move the machine to a workgroup from the domain. (If it was part of one workgroup then change it to another one or join a domain.) You could do this through Control Panel\System and Security\System and then Change Settings.
- Restart the machine and logon with a machine administrator account.
- Delete your user profile data (or move it a different location) completely from c:\users. “C” in my case is system directory but if you have a different one then use that one.
- Join the machine back to a domain account (or to the workgroup that the machine was originally joined to), and restart the machine.
- Log in with your domain account that you were having trouble with. Keep fingers crossed.
- If all goes well, you should be logged on.
Case select you will be logged on with a temporary user profile:
- Log in with an Administrator account on the local machine.
- Open Regedit.
- Navigate to
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
- There should be a multitude of Registry keys inside the ProfileList and search for two identical ones which are differentiated by the .bak extension (e.g. xxxxxx1234.bak & xxxxxx1234).
- The Registry key with the .bak extension contains the user’s actual profile while the one without the .bak contains the Temp profile.
- Delete the Registry Key WITHOUT the .bak extension and rename the one with it to xxxxx1234 (without the .bak). Notice the fields on the right, there should be a value named RefCount, change the value to 0.