Windows Group Policy Client: log on failed.

  • This was an interesting one this morning, and took me about an hour to resolve.

    The Group Policy Client Service failed the logon. Access denied

    Issue with this computer / user started yesterday when called to get the User password reset. Got that done, and all was good for the day.

    Called in again today for a password reset,.. but then this was the error message when I remoted to the computer.

    Found a MS article which stated, drop from the domain and rejoin. Did,.. twice. didn't work. Went so far as to roll the computer back to 12\4 and run updates.

    In doing this, I also looked for the domain computer account to see if it was being removed.. Oddly, it seemed to remain,,... but more so, it was disabled.

    Re-enabled the computer, and now all is okay.

    The biggest question is why? Why would the computer account have been disabled between yesterday and today?

  • Question, did you look at the computer account on the domain before or after you left and rejoined the domain with the account?

    I've noticed when you leave a domain (and join a workgroup) with a workstation, the AD computer account is not deleted, often it's disabled, but even that has not been consistent for me as I'll go look at the account afterword and see it just sitting there like normal.

  • What functional level is the domain? I seem to remember computer accounts that leave the domain on with Windows 2012R2 functional accounts get disabled where in previous versions they didn't.

  • @Dashrender
    Sadly no, it did not occur to me. previously AD just removed the account. in some regard I suppose that was an error on my part. but not completely.

  • Yesterday I only did a password reset. no dis/join domain. So not sure why it occurred.

  • Bad dns config, bad system naming, or network speeds can cause systems to fall off the domain. When this happens I usually just delete the computer account from the domain, rejoin the computer to the domain, and move on.

  • We rarely if ever disable a computer account, we just disable the user and reboot.

    In event where a system is for some reason disjoined from the domain, we sign in locally and rejoin it. (WORKGROUP reboot/ Domain Reboot)

    I've seen this happen due to time sync issues, long periods of time disconnected from the work network to name a few.

    As for from 1 day to the next, I'd be thinking DNS or Time Sync issues... Is the system clock right on your DC and this machine?

  • net time /domain:<domain here> /set /y

    Does the PC get turned off overnight?
    How old is it?

Log in to reply