Original Post: https://appuals.com/fix-group-policy-client-service-failed-logon/

Group policy is an account management utility in Windows that lets you predefine the terms of use and interaction of user accounts in a certain group. The group can be standard/limited group, administrators group, guest groups, and any other group you have created. These groups will then be guided by the policy you created. The group policy is therefore invoked during login in depending on which group the user belongs.

Several users have reported a login issue. The system becomes slow on some applications and some do not work. After a restart on their PC, they can no longer log in to the system. On entering a password, the system takes way too long to login and after a while it gives back an error stating ‘Group Policy Client service failed the logon: Access denied.’ For some, they can still be able to log in as an administrator, while others only have one account on their PC; which means they are completely locked out of their system.

 

How logging in works and why a login error occurs

Winlogon communicates with the Group Policy service (GPSVC) through a call upon system startup for computer policy and with user logon for user policy. The Group policy service then isolates itself into a separate SVCHOST process (it is originally running in a shared process with other services). Because communications have already been established before the service isolation, Winlogon can no longer contact the Group Policy service, and this results in the error message that is described in the Symptoms section.

Therefore this error is caused by a group policy that fails to respond or if it stops running. This could be due to bad registry calls or a corrupt registry. Usually, this is caused by system updates and upgrades that might mess with the registry. A bad shutdown or startup process can also cause this issue.

This can also happen when you try to logon using a non admin account in a PC that had some applications or drivers that were installed with admin privileges before. These applications will not support non-elevated environments. The conflict will therefore cause the error. The most application category that causes this issue to so many people is third party web browsers like Google chrome; which doesn’t need admin privileges to run.

Here are solutions on how you can remedy this situation in Windows 10; the methods also work in Windows 8.1. If you are locked out of your computer completely (you had only one account), then you should try method 3.

Method 1: Edit registry using an administrator account

If you are able to login into your computer as in most cases, you can try fixing the registry using the method below. Your registry keys might be missing after a system upgrade (e.g. Windows 7 to Windows 10).

  1. Press Windows Key + R to open run
  2. Type regedit in Run dialog box and hit enter to open the Registry Editor
  3. In the left pane of Registry Editor, navigate to following registry key:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gpsvc

  4. Make sure that this key is intact but do not change anything
  5. Navigate to this key
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SVCHOST
  6. This is the most important path you should look into, as it contains the keys and values referred in the key in step 3.  Below are descriptions what must be present there.
  7. There must be Multi-String value called GPSvcGroup.  If it is missing, right click on the panel on the right and create a new multi-string value named GPSvcGroup and assign it value GPSvc.
  8. Next, you must create a key (a folder) and name it GPSvcGroup – this key normally should be there. To do this, right click on the panel on the right and select New > Key. Name the new key as GPSvcGroup
  9. Then open newly-created GPSvcGroup folder/key, right click on the panel on the right and create 2 DWORD values:
  10. First called AuthenticationCapabilities and you must give it a value of 0x00003020 (or 12320 in decimal)
  11. Second is called CoInitializeSecurityParam and it must have value of 1.
  12. Restart your PC after the changes