question

Courtenay-9443 avatar image
0 Votes"
Courtenay-9443 asked DaisyZhou-MSFT answered

Windows Server 2016 - The Group Policy Client Service Fails the Logon - Access Denied

Good Day,

I have four (4) terminal servers and one (1) remote desktop licensing server. These servers run a critical application which most of the users at my organization access on a daily basis. Occasionally, users receive a group policy client service failed the logon message when they attempt to access any of the four (4) terminal servers. To bypass this, we sometimes run remote desktop and redirect the user to another server in the pool (example, if they are affected on the first terminal server, we point them to the second). We have tried our best to track down the group policy affecting the terminal servers but to no avail. It does not affect domain administrators however. I followed the steps outlined in the article below, but to no avail. Please advise if there is any additional information you may require to help me narrow down this problem, thanks.

windows-group-policy
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @Courtenay-9443,
I am just writing to see if this question has any update. If anything is unclear, please feel free to let us know.
Thanks for your time and have a nice day!

Best Regards,
Daisy Zhou

0 Votes 0 ·
DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered

Hello @Courtenay-9443,

Thank you for your update.

It is recommended to install procmon and network monitor in the domain admin remote session when the server is normal, and grab a normal procmon trace and network monitor trace.

It is recommended that when the server is abnormal, install procmon and network monitor in the domain admin remote session, and catch an abnormal procmon trace and network monitor trace.

Process Monitor v3.61
https://docs.microsoft.com/en-us/sysinternals/downloads/procmon

Microsoft Network Monitor 3.4 (archive)
https://www.microsoft.com/en-us/download/details.aspx?id=4865

1.Run procmon trace and network monitor as administrator.
2.Reproduce the issue.
3.Save the trace.
4.Compare it yourself to check if you can find any clues.


If it does not work above, considering that your problem may be a bit complicated and cannot be solved by general methods, it may need to collect logs for further analysis and troubleshooting. I suggest you submit a service request to MS Professional tech support service so that a dedicated support professional can further assist you with this request.

The following web site for more detail of Professional Support Options and incident submission methods is for your reference:

https://support.microsoft.com/en-in/gp/contactus81?forceorigin=esmc&Audience=Commercial

https://support.microsoft.com/en-us/help/4051701/global-customer-service-phone-numbers


Thank you for your understanding and support.


Best Regards,
Daisy Zhou

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered Courtenay-9443 commented

Hello @Courtenay-9443,

Thank you for posting here.

To better understand our question, please confirm the following information below at your convenience:
1.Is there a group policy client service fail problem with only one rdsh?
2.Based on the description "I followed the steps outlined in the article below, but to no avail." what article link did you follow?
3.How did you do this---"To bypass this, we sometimes run remote desktop and redirect the user to another server in the pool (example, if they are affected on the first terminal server, we point them to the second). "? Please provide the screenshot if possible.
4.Based on the description "Occasionally, users receive a group policy client service failed the logon message when they attempt to access any of the four (4) terminal servers.", how did user attempt to access any of the four (4) terminal servers and received the error message?
5.This question is random, is it right?
6.Please check whether any user can logon any domain machine successfully?


Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for the reply. Please see my responses to your questions in order below:

  1. It happens on all four (4) session host servers but randomly on each one for users

  2. i run mstsc and enter the DNS name that does round-robin between the four (4) sh servers so it sometimes takes them to another one in the pool. or if they are getting the error on lets say SH server 1, i put the hostname of SH server 2 e.g sessionhost2 /admin, and put my credentials to let them in as admin accounts are fine.

  3. We don't want them to see the desktop on the terminal servers so it launches a browser session directly to the web-app which starts up as they logon. During logon they get the error message from a remote desktop screen before it loads the browser-app.

  4. Yes this occurs randomly on any of the terminal servers for any user

  5. Yes they can, other domain machines work


0 Votes 0 ·