I know a number of people have encountered this error when using roaming profiles under Server 2008: "Group Policy Client Service Failed the logon - Access Denied" It's apparently related to the usage of the v1 and v2 roaming profiles. We recently upgraded a small business client to Server 2008 R2 Foundation. It mostly went pretty smoothly. They still have a mix of Windows XP and Windows 7 workstations. For now, we have four users set up. Since this is a veterninarian's office, they tend to roam around and log into different workstations. With two of the users, we eventually started getting the above error whenever they attempted to log into any Windows 7 workstation. I assume this indicated a problem with the v2 profile, which is automatically created I believe the first time one is roaming on Vista, 7, or Server 2008. After trying all the possible solutions I found here in the forums and other websites, I gave up and totally wiped out their profiles and started over. (I understand this causes them to get a new SID.) Once again, both the V1 and V2 profiles for these two users worked for a few hours, then reverted back to the error above. Is this an issue where the V1 and V2 profiles don't stay linked to each other? The only thing unique I can think of with these two users is that they use Outlook 2003, which has their PST file located in their home directory. Later this week, we will be replacing their remaining XP workstations with new Windows 7 PCs. Would I be correct in telling the client that the roaming profile issue will no longer be a concern, since they will always use their v2 profile? (I understand I may have to delete/create their profiles once again.) This is really irritating and time-consuming, not to mention inconvenient for the client. I would like to be certain we won't have recurrance of this common issue. Thanks!

I have both W XP and W 7 in my system and never encountered any problem. W XP are in one OU and W 7 are in diferrent OU. Both OUs have their GPO. For W XP I use UPHclean to help moving the profile correctly. In your case I recommend to activate AUDIT and see, what happens. Users are expected to logon on ONE workstation only. Homogeneous system with W 7 only will make your system more transparent and hopefully without errors like this one.

I have both W XP and W 7 in my system and never encountered any problem. W XP are in one OU and W 7 are in diferrent OU. Both OUs have their GPO. For W XP I use UPHclean to help moving the profile correctly. Just to clarify, do you mean you keep the computers in different OUs within Active Directory? I would have thought that was irrelevant to the user's profiles. In your case I recommend to activate AUDIT and see, what happens. Users are expected to logon on ONE workstation only. I may try audit. When we were planning their network, we did advise them it was best to each have their own workstation. However, they move throughout the business, from front desk to lab to pharmacy to surgery to back office. I had always believed roaming profile would make this possible and efficient. For the most part, it does, except for this irritating glitch apparently a lot of people get under 2008 and even 2003 (Vista vs XP workstations). Homogeneous system with W 7 only will make your system more transparent and hopefully without errors like this one. I surely hope so. I would like to be more confident about that when we reassure them, as this does reflect badly on our capabilities. I am hoping someone responds here who has been through the same scenario and resolved it permanently. Thanks for the input.

Splitting OU will enable to trace OS specific problems. The only real need for system, that works as expected is WSUS setting. Are there any more EventLog traces to your problem? Is this specific for workstation only or the logged domain user plays the role? Give a try to GPO modelling. W 7 workstations are vanilla clean installs or upgrade/ migration from W XP?

Splitting OU will enable to trace OS specific problems. The only real need for system, that works as expected is WSUS setting. Are there any more EventLog traces to your problem? Is this specific for workstation only or the logged domain user plays the role? Give a try to GPO modelling. W 7 workstations are vanilla clean installs or upgrade/ migration from W XP? I did look at the event log when this happened a few weeks ago and recall it mentioned something about permissions (perhaps with home directory?), but don't have access to it right now. Obviously, the error was only happening with their v2 profile which was used when they attempted to log into a Windows 7 PC. I'm pretty certain it did not happen for workstation only logins. And as I said, it didn't happen right away, as they were able to log into XP and 7 roaming profiles for a few hours. Something disrupted the v2 roaming profile, I assume, which is why I mentioned the unique variable for these two users being Outlook 2003. The Windows 7 machines are brand new purchases with that OS already installed. Would it provide an extra level of protection perhaps to create an OS group policy which required workstations to be at mimimum WIndows 7 or Server 2008? Is it possble to lock out the v1 profile from ever being used? My main concern is for this issue to no longer occur after we have the whole workstation environemnt at Windows 7. Thanks!

Hi, As we all know, V1 user profiles are not compatible with V2 user profiles, computers running Windows Vista/7 cannot read roaming user profiles created from Windows XP. In this case, I suggest combining Folder Redirection with roaming user profiles to avoid this issue for users that switch from Windows Vista/7 and Windows XP. Managing Roaming User Data Deployment Guide http://technet.microsoft.com/en-us/library/cc766489(WS.10).aspx >Would it provide an extra level of protection perhaps to create an OS group policy which required workstations to be at mimimum WIndows 7 or Server 2008? Is it possble to lock out the v1 profile from ever being used? You can create a filter that allows a GPO to apply to operating systems later than Windows 7 and Windows server 2008. Fun with WMI Filters in Group Policy http://blogs.technet.com/b/askds/archive/2008/09/11/fun-with-wmi-filters-in-group-policy.aspx WMI GPO Filters for Operating System Types http://derek858.blogspot.com/2010/07/wmi-gpo-filters-for-operating-system.html Best Regards, Brent Hu TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”

Hi, As we all know, V1 user profiles are not compatible with V2 user profiles, computers running Windows Vista/7 cannot read roaming user profiles created from Windows XP. In this case, I suggest combining Folder Redirection with roaming user profiles to avoid this issue for users that switch from Windows Vista/7 and Windows XP. I do use both a Folder Redirection policy and roaming profiles. By suggesting I combine them, do you mean simply using both, or is there some process I am not aware of? After we replaced the remaining XP workstations with new Win 7 Pro workstations, I spent several hours trying to make this work. I deleted the user IDs, deleted their profile folder (v1 and v2), then recreated the users, created the profile folder and copied the default user profile. After setting the home directory, I manually confirmed the appropriate folder permissions were in place. I was so sure without the XP workstations and with deleting the original profiles, I would avoid the "access denied" error. When the user logs in for the first time, the v2 profile is automatically created, the home directory mapping and folder redirects work fine. However, just like before, a few minutes go by, and logging in generates the "Group Policy Client Service Failed the logon - Access Denied" error which stops them from logging in. I am totally floored that it can still happen. Where is it still calling upon the v1 profile? In the interim, I have removed roaming profiles and have them using local profiles, which is a headache. The "Group Policy Client Service Failed the logon - Access Denied" error still occasionally pops up, but seems to time out eventually. I really do need to move them back to roaming profiles, but can't imagine what else there is to fix. Is this perhaps something I am doing wrong when recreating their initial profile folder? It doesn't seem to work if I only go with the v2 folder, so I assume the v1 is still required. Should I not be copying the default user into the v1 so they have an initial layout to start with? Does Vista/7 still need the V1 profile folder in some way? I really couldn't tell from the article provided. Thanks for the input, guys.