At work, we’ve long been using Roaming Profiles for most of our users, because despite their issues, it works well for users that move around and use many different PCs.
Again, it’s not best practice by any means, but Domain Users also have local administrative access to their PCs. At one time, there were several pieces of software that required it, and we just never made any changes after that.
Any new users that were created had their roaming profile copied from a generic profile folder that we have saved on the network to be copied to a new users folder. Once copied, we will assign proper rights/ownership and then log in as the new user for any final setup.
We’ve recently decided that we need to phase out all local admin access to these users, and move Domain Users over to the local Power Users group. However, before we could even get into the testing phase for any of this, we were dead in the water with an error message at login.
The Group Policy Client service failed the logon. Access is denied.
After trying our best to research why this would happen with no local admin access, we came up short, and were honestly at a bit of a dead end. Most of anything we would search only returned the most generic unrelated issues with that message.
One day, I must have typed something just right into a search because that’s when I stumbled across this forum post discussing someone having the same error when trying to have several users use the same mandatory network profile.
This was mostly unrelated to our use case, but some of the posters there got me thinking that much like the OP’s issue was the registry rights in his ntuser.man file, how the rights in our ntuser.dat files may be our issue, as we copy the same generic profile to every new user.
That was indeed the solution we needed to get rid of the error, and have our roaming users login and load their profiles without local admin access. See below for what needs to be done to the ntuser.dat files to resolve this.
This will require editing the permissions on the registry entries in ntuser.dat
Open up regedit (it can be on anything, server or workstation as you won’t be modifying the existing registry on that station).
Select/highlight HKEY_USERS, then click File, Load Hive.
Browse to and open the ntuser.dat file under the user’s roaming profile folder you need to edit. Give it a name on the next prompt (this is just a local nickname for this process, so use whatever like the user’s first name) and it’ll appear under HKEY_USERS.
Then right click on it, go to Permissions and change them as you would with a file (give the appropriate user full control).
Now with that user’s hive still selected, click File, Unload Hive.
That’ll save the changes.