When you try to login to a domain local account and getting the error message
the group policy client service failed the logon. Access Denied, that means there are issues with that particular account permission which you need to fix. Here are a few ways using which you can fix the issue:
Solution 1: Making Changes in Registry Editor
Take a full backup of the registry before trying the following steps:
- Login to the machine with the local administrator account.
- Delete the profile for the user that’s having the problem, i.e. C:\Users\User01
- Run Regedit, and remove the profile from1HKLM > Software > Microsoft>Windows NT > CurrentVersion > Profile List > (SID)
(you can right-click on Profile List and do a search for the user name, i.e. User01.
- Once found, delete the entire KEY for the user.
- Double-check to ensure it’s removed from.
System Properties > Advanced System Settings > Advanced TAB > User Profiles (Settings...) button> If you see the user in there, delete it too.
- Logoff as Local Admin and reboot. (Reboot not 100% necessary, but I usually do just in case)
- Login with domain username and you should be all set.
Solution 2: By Delete Profile Folder
If accounts in other domains are able to connect via RDP and a particular account doesn’t work, then do the following steps:
- Log in as a Local Admin.
- Open up System Properties (
- Go to the Advanced tab and choose Settings under User Profiles.
- Find the profile for the account that can’t log in and delete it. This deletes the profile folder and registry key for you.
- Login from the same account.
Solution 3: By using Profile Services
- Open Services list by running the command
services.mscin the RUN dialogue box.
User Profile Serviceand check it is running or not.
- If not, start it. That should resolve the issue.
Solution 4: Old Solution (Might not work)
- Logon to the machine with a machine administrator account (assuming this issue is with a domain account, if not logon to the machine using another account with administrative privilege).
- Move the machine to a workgroup from the domain. (If it was part of one workgroup then change it to another one or join a domain.) You could do this through Control Panel\System and Security\System and then Change Settings.
- Restart the machine and logon with a machine administrator account.
- Delete your user profile data (or move it a different location) completely from c:\users. “C” in my case is system directory but if you have a different one then use that one.
- Join the machine back to a domain account (or to the workgroup that the machine was originally joined to), and restart the machine.
- Log in with your domain account that you were having trouble with. Keep fingers crossed.
- If all goes well, you should be logged on.
Case select you will be logged on with a temporary user profile:
- Log in with an Administrator account on the local machine.
- Open Regedit.
- Navigate to1HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
- There should be a multitude of Registry keys inside the ProfileList and search for two identical ones which are differentiated by the .bak extension (e.g. xxxxxx1234.bak & xxxxxx1234).
- The Registry key with the .bak extension contains the user’s actual profile while the one without the .bak contains the Temp profile.
- Delete the Registry Key WITHOUT the .bak extension and rename the one with it to xxxxx1234 (without the .bak). Notice the fields on the right, there should be a value named RefCount, change the value to 0.