Windows-Server-2008

登錄到我的遠端桌面伺服器時,我收到錯誤“組策略客戶端服務登錄失敗。訪問被拒絕”

  • August 7, 2019

重新創建問題的步驟…(Windows 2008 Server - DC 和 Windows 7 作為客戶端)

1) Create a new user in the domain.
  Example: user1
2) Set the user's "Remote Desktop Services User Profile" to a network path.
  Example: \\myserver\profiles\bullpin
3) Logon with user1 to the remote desktop (SERVER_A), then create a new shortcut to a web page.
  Example: http://google.com -> Named: Google
4) Logout with user1.
5) Create a new user in the domain.
  Example: user2
6) Set the user's "Remote Desktop Services User Profile" to the same network path.
  Example: \\myserver\profiles\bulpin
7) Logon with user2 to the remote desktop (SERVER_A).  YOU SHOULD GET AN ERROR!
  ERROR: "The Group Policy Client service failed the logon.  Access is denied"

更新:

我在下面的回答解決了這個問題,一切似乎都很好。現在我正在尋找如何首先避免這種情況?無需在錯誤仍然出現時更改權限(在 30 秒內持續)。我可以在使用者嘗試登錄之前更改密鑰的權限嗎?

注意:如果我必須手動在 HKEY_USERS 下的配置文件中載入配置文件,請說明如何操作。

謝謝!

在網路、日誌等中探勘答案。我發現了一些有趣的東西……

查看 SERVER_A 的日誌(Windows 日誌-> 應用程序),我發現以下 2 個條目…

1) The winlogon notification subscriber <GPClient> failed a critical notification event.
2) The winlogon notification subscriber <Sens> failed a notification event.

然後四處閱讀,我想到了查看 SERVER_A 上的另一個日誌(應用程序和服務日誌-> Microsoft-> Windows-> 使用者配置文件服務-> 操作)並找到這些條目…

1) Recieved user logon notification on session 1.
2) Registry file C:\Users\user1\ntuser.man is loaded at HKU\S-1-5-21-2420121206-1056658499-602520278-4624.
3) Registry file C:\Users\user1\AppData\Local\Microsoft\Windows\\UsrClass.dat is loaded at HKU\S-1-5-21-2420121206-1056658499-602520278-4624_Classes.
4) Finished processing user logon notification on session 1.
5) Recieved user logoff notification on session 1.
6) Finished processing user logoff notification on session 1.

想知道將使用者配置文件“載入”到系統資料庫中到底是什麼鬼,我開始胡鬧,發現 SERVER_A 上的系統資料庫配置單元(Run->regedit.exe 或 Windows Key+R->regedit.exe)有一個密鑰稱為“HKEY_USERS”。在裡面我找不到引用的 GUID !!!所以調查事情我有一個想法。嘗試像往常一樣連接到遠端桌面,收到錯誤消息,但不要在錯誤上點擊確定。讓它坐在那裡。很快(因為它很快就會超時)我跳到 SERVER_A 並用 F5 刷新了系統資料庫,果然出現了 GUID 條目!!!在該登錄錯誤消息超時之前,我右鍵點擊 GUID“HKU\S-1-5-21-2420121206-1056658499-602520278-4624”並轉到“權限”並發現這是問題所在…

My original user1 has rights to that key (HKU\S-1-5-21-2420121206-1056658499-602520278-4624) but there was no sign of user2!

所以為了解決這個問題,我做了以下……

Before the logon error timed-out I quickly updated the permissions to REMOVE the user1 entry and added a group that I had called "BullPin" which was a group created with user1 and user2 in it.

引用自:https://serverfault.com/questions/528104