Background
- We have a Server 2008 R2/Win7 domain.
- We have teachers and students using Windows 7 workstations, deployed via SCCM.
- Students all refer to a shared profile (
\\dfsroot\\profiles\student, containing ntuser.dat and all other files and directories set with permissions and ownership set to allow all students access). - We are using roaming profiles.
- Offline files are disabled.
Problem
We have found a subset of our students are unable to login to Windows 7 workstations, with the error "Group Policy Client failed the login: Access is denied". This ceases if the workstation is moved to a different organisational unit with less policy applied, but this also messes around with targeting for printers and other such preferences. As far as we can tell by doing group policy modelling, there are essentially no group policy differences between a student account that can always login, and a student account that will always fail.
We've checked permissions over and over again, but it seems odd to me that only a subset would be deterministically affected if permissions were in fact wrong.
Teachers and other non-student accounts have no problems at all, but they also have one profile per account.
I'm really at a bit of a loss as to what to do next. Any ideas?
Best Answer
We have found the problem was in the permissions of the registry hive itself in
ntuser.man. So whilst the permissions were correct on the file itself, the registry could not be loaded by the shared users.This was solved by loading
ntuser.man(Load Hive in regedit) and making sure the permissions on it were set to allow access to the entire group of users, instead of just the one.It all seems to be working fine now.