登錄到我的遠端桌面伺服器時,我收到錯誤“組策略客戶端服務登錄失敗。訪問被拒絕”
重新創建問題的步驟…(Windows 2008 Server - DC 和 Windows 7 作為客戶端)
1) Create a new user in the domain. Example: user1 2) Set the user's "Remote Desktop Services User Profile" to a network path. Example: \\myserver\profiles\bullpin 3) Logon with user1 to the remote desktop (SERVER_A), then create a new shortcut to a web page. Example: http://google.com -> Named: Google 4) Logout with user1. 5) Create a new user in the domain. Example: user2 6) Set the user's "Remote Desktop Services User Profile" to the same network path. Example: \\myserver\profiles\bulpin 7) Logon with user2 to the remote desktop (SERVER_A). YOU SHOULD GET AN ERROR! ERROR: "The Group Policy Client service failed the logon. Access is denied"
更新:
我在下面的回答解決了這個問題,一切似乎都很好。現在我正在尋找如何首先避免這種情況?無需在錯誤仍然出現時更改權限(在 30 秒內持續)。我可以在使用者嘗試登錄之前更改密鑰的權限嗎?
注意:如果我必須手動在 HKEY_USERS 下的配置文件中載入配置文件,請說明如何操作。
謝謝!
在網路、日誌等中探勘答案。我發現了一些有趣的東西……
查看 SERVER_A 的日誌(Windows 日誌-> 應用程序),我發現以下 2 個條目…
1) The winlogon notification subscriber <GPClient> failed a critical notification event. 2) The winlogon notification subscriber <Sens> failed a notification event.
然後四處閱讀,我想到了查看 SERVER_A 上的另一個日誌(應用程序和服務日誌-> Microsoft-> Windows-> 使用者配置文件服務-> 操作)並找到這些條目…
1) Recieved user logon notification on session 1. 2) Registry file C:\Users\user1\ntuser.man is loaded at HKU\S-1-5-21-2420121206-1056658499-602520278-4624. 3) Registry file C:\Users\user1\AppData\Local\Microsoft\Windows\\UsrClass.dat is loaded at HKU\S-1-5-21-2420121206-1056658499-602520278-4624_Classes. 4) Finished processing user logon notification on session 1. 5) Recieved user logoff notification on session 1. 6) Finished processing user logoff notification on session 1.
想知道將使用者配置文件“載入”到系統資料庫中到底是什麼鬼,我開始胡鬧,發現 SERVER_A 上的系統資料庫配置單元(Run->regedit.exe 或 Windows Key+R->regedit.exe)有一個密鑰稱為“HKEY_USERS”。在裡面我找不到引用的 GUID !!!所以調查事情我有一個想法。嘗試像往常一樣連接到遠端桌面,收到錯誤消息,但不要在錯誤上點擊確定。讓它坐在那裡。很快(因為它很快就會超時)我跳到 SERVER_A 並用 F5 刷新了系統資料庫,果然出現了 GUID 條目!!!在該登錄錯誤消息超時之前,我右鍵點擊 GUID“HKU\S-1-5-21-2420121206-1056658499-602520278-4624”並轉到“權限”並發現這是問題所在…
My original user1 has rights to that key (HKU\S-1-5-21-2420121206-1056658499-602520278-4624) but there was no sign of user2!
所以為了解決這個問題,我做了以下……
Before the logon error timed-out I quickly updated the permissions to REMOVE the user1 entry and added a group that I had called "BullPin" which was a group created with user1 and user2 in it.