Windows "Group policy" problem

[dddave]

Win 8.1 w/Classic Shell (non-touch), HP Sleekbook 15,

For the last week, when I open my laptop, I get a pop-up reading in part:

"Failed to connect to a windows service

Windows could not connect to the Group Policy Client service."

I Googled this and it appears that once again, a Windows update has screwed things up. It seems to be a registry issue which is a part of my machine I have heretofore carefully avoided as I tend to screw things up worse.

What I found was one has to log on as administrator, then find and replace missing CONFIG keys....AAAARRRGGGHHHHH!!!

Any simpler suggestions? Interestingly, I can log on to FIREFOX but not CHROME, my usual browser.

Is there any chance that if I just leave it alone, Windows will self diagnose the problem and fix it?

Why does Microsoft hate me?

[NeverSure]

Do you back up your registry regularly? It is usually backed up just before updates are installed. You are probably going to have to uninstall your most recent updates and then either edit the registry or with luck they will either be fixed by uninstalling or by a system restore.

I suspect your copy of Windows was extracted from an installation that was once in an enterprise environment including Microsoft Server and Active Directory (AD). I suspect another computer was either Sysprepped and or converted to an .msi file and then installed on your computer. It was probably done either by imaging or by running the .msi file which replaces Setup in that case.

When a client workstation is joined to a network that involves a domain controller which is a server running Server and Active Directory, it gets all of its permissions from the Server. It may well even get files and folders and programs from the server. At that point the only one who can do what you want to do is someone who has admin privileges to the server. Your computer is looking for that server which has AD and your needed resources.

I agree it is something in the registry and I hope you either have an earlier version of the registry or an image of the hdd before the updates were installed. Try to uninstall the updates and see if you even have permission at this point. If not try a system restore and restore the registry to a date before the updates. If you're locked clear out that hdd is going to need to go into another computer as a slave and then maybe you can take ownership and change the permissions.

To anyone else reading please make regular images of the HDD using a free utility such as Macrium Reflect or Easeus to do. Be sure to make the rescue boot CD.

Post back please. PM me if no one answers.

Edited June 22, 2015 by NeverSure

[NeverSure]

Group policy is part of AD. It's really slick in that the admin can make groups on the server and assign permissions to each group. Then all he has to do is join a user to that group and it inherits the permissions of the group. This makes it easy in a hospital to give nurses permissions to the patient medical files but not to payroll. Then the HR department bookkeepers get permissions to the payroll accounts but not medical records. Execs are members of both groups and can see everything. It can be as granular as wanted and have as many groups as needed and the rest is easy.

Your group's policy is what is missing. Your computer is looking for that server so it can log on and get permissions.

I think. Pretty sure, LOL.

Edited June 22, 2015 by NeverSure

[Crossy]

Why does Microsoft hate me?

Do you have a genuine copy of Windows?

[NeverSure]

Oops...wrong thread.

Edited June 22, 2015 by NeverSure

[thedemon]

Try running sfc /scannow from an administrative command prompt.

[JeffreyO]

So a few questions, is this computer part of a domain or is it a personal computer?

You could go into services.msc and check to see if Group Policy Client service is started, if it is not, right click it and click 'start'. If it is set to anything other than automatic, change it to automatic. Do that and reboot your computer, let me know if the service still shows it is having issues.

[dddave]

Thanks for the replies. I have never ever done a specific registry back-up, wouldn't know how. This laptop was purchased new from a US Walmart with genuine Win-8 pre-installed, never in anybody else s hands so I don't see how my Win could be extracted from another installation.

Right now, it seems to be functioning ok. When I first logged on today, I could not load Chrome but could Firefox. Later, FF became balky but Chrome loaded and I am on that now so it seems the affects of this are intermittent.

The Demon: What do I do once I run "sfc /scannow"? What do I look for and how do I deal with what I may find?

I hate doing "system restores" but that may be what I'll need to do if problems persist

[dddave]

JeffreyO

Thanks...just went into services.msc. Group policy status was blank...not "Running", not "Stopped", start-up type was "Automatic (Trigger start)

computer is HP laptop, personal and only in my use.

Edited June 22, 2015 by dddave

[JeffreyO]

It sounds like the service didn't start properly when your computer rebooted, when you right clicked and hit 'start' were you able to get the service started or did it toss you an error?

[JeffreyO]

PS: If the service starts without issue, please don't worry about registry editing or anything else major.

on the other hand if it doesn't start you'll keep encountering the error until what's preventing the service from starting is resolved, which I can help you with further if you're unable to get the service started.

[thedemon]

The Demon: What do I do once I run "sfc /scannow"? What do I look for and how do I deal with what I may find?

I hate doing "system restores" but that may be what I'll need to do if problems persist

The System File Checker scans for corrupted or missing Windows System files. If any are found it will repair them automatically after the verification phase. It may 20 minutes or longer.

1 - Move the cursor to the bottom left corner windows logo, right click and select "Command Prompt Admin"

2 - OK the UAC warning

3 - Type "sfc /scannow" (without the quotes) and press enter.

That's it. After the scan is complete there will be a message saying whether any corruptions were found and if so, whether they could be repaired.

[Chicog]

Dear OP,

If you found out that an update caused this problem, try removing it.

Then post which update it was and we can look into it for you.

[dddave]

TheDemon..when I Rt. clicked on Win logo in lower left corner I did not get "Command Prompt Admin", I got a dialog box with the following: What am I missing?

Windows explorer

Open

Open all users

settings

help

exit

When I tried sfc.scannow in the command box, I got "No items match your search"

My machine seems to be functioning normally now. I'll shut it down for the night and see what happens in the AM.

Thanks again to all those who took the time to make suggestions.

[thedemon]

TheDemon..when I Rt. clicked on Win logo in lower left corner I did not get "Command Prompt Admin", I got a dialog box with the following: What am I missing?

Windows explorer

Open

Open all users

settings

help

exit

When I tried sfc.scannow in the command box, I got "No items match your search"

My machine seems to be functioning normally now. I'll shut it down for the night and see what happens in the AM.

Thanks again to all those who took the time to make suggestions.

If you press the Windows key + X key it should bring up the same menu. From that list select Command Prompt (Admin)

Click OK to the dialog box that follows

Now you should see a window like this

At the prompt in that box type sfc /scannow (not sfc.scannow as you wrote above)

Press Enter

[JeffreyO]

Dave,

SFC is short for "System File Check". It certainly won't hurt to run /scannow as it will attempt to repair any system files it finds issues with, even if unrelated to your current problem.

With that in mind, a service having not been started but immediately starts when you right click on it and start service isn't something that needs repairs via sfc. So long as the service starts automatically when you reboot your computer next time, the issue that led you to troubleshoot is resolved.

[dddave]

Once again, thanks to all who have contributed to this thread.

This AM, same scenario as yesterday. On start-up, "Group Policy" pop-up appeared. I was again unable to open CHROME but was able to open FIREFOX. and browse normally.

I followed "The Demon's" updated instructions for running "sfc/scannow" and waited about 40 minutes while a complete scan was done.

When finished, I got a message in the command window that some files were fixed, some not fixed and it suggested " C:\windows\Logs\CBS\CBS.log."

This proved to be a dead end...something like "command not recognized" Sorry, I do not know how to do screen shots so no record of it.

I decided to try a re-start and when the the computer opened, no "Group Policy" pop-up appeared and CHROME opened normally and functioned normally. Time will tell.

Thanks.

[JeffreyO]

It generated a log file called CBS.log. You can just open a folder and browse there and open it with notepad.

[dddave]

You can just open a folder and browse there and open it with notepad.

Sorry, I don't understand. How do I access this folder? I have never used notepad. I am really clueless when it comes to any kind of terminology.

Thanks for your help. I've done several re-starts and things seem to be back to normal.

For now.

[Chicog]

If it's working don't worry about looking at log files. They probably won't make any sense anyway.

[Para]

Group policy is part of AD. It's really slick in that the admin can make groups on the server and assign permissions to each group. Then all he has to do is join a user to that group and it inherits the permissions of the group. This makes it easy in a hospital to give nurses permissions to the patient medical files but not to payroll. Then the HR department bookkeepers get permissions to the payroll accounts but not medical records. Execs are members of both groups and can see everything. It can be as granular as wanted and have as many groups as needed and the rest is easy.

Your group's policy is what is missing. Your computer is looking for that server so it can log on and get permissions.

I think. Pretty sure, LOL.

I am currently supporting a very large Windows environment and we often get GP log on failures. I simply remove the local profile whilst logged in as admin and then back onto the AD domain as the user which copies down a new profile. Never heard of it outside the Enterprise environment.

What happens if you log in with a different local account?

[NeverSure]

Group policy is part of AD. It's really slick in that the admin can make groups on the server and assign permissions to each group. Then all he has to do is join a user to that group and it inherits the permissions of the group. This makes it easy in a hospital to give nurses permissions to the patient medical files but not to payroll. Then the HR department bookkeepers get permissions to the payroll accounts but not medical records. Execs are members of both groups and can see everything. It can be as granular as wanted and have as many groups as needed and the rest is easy.

Your group's policy is what is missing. Your computer is looking for that server so it can log on and get permissions.

I think. Pretty sure, LOL.

I am currently supporting a very large Windows environment and we often get GP log on failures. I simply remove the local profile whilst logged in as admin and then back onto the AD domain as the user which copies down a new profile. Never heard of it outside the Enterprise environment.

What happens if you log in with a different local account?

Well, I was obviously wrong in my knee-jerk reaction. We did have one just a while back that got reinstalled rather than fixed, I believe. There are people installing pirated copies from enterprise environments, especially from .msi files.

You're mentioning what to correctly do if there's actual a domain controller, to get logged back in. I think? With these pirated copies when they go sour there isn't and never was a domain controller for this machine, but they are looking for it to log on.

The other possibility which I was looking for would be a legal copy which had been removed from the enterprise both physically and with active directory and then somehow the registry corrupted and it was looking for that server again. In that case the computer would never be able to log back in or boot for itself and find files etc. unless that could be fixed. I wouldn't have helped unless we could first determine that the OS was legit.

I have no idea what happened to the OP's computer because it "fixed itself". Without following the problem to a solution we may never know. It is a version of Windows which will work with a domain controller but again we'll probably never know what happened if it stays "fixed".

Cheers.

[JeffreyO]

Group policy is part of AD. It's really slick in that the admin can make groups on the server and assign permissions to each group. Then all he has to do is join a user to that group and it inherits the permissions of the group. This makes it easy in a hospital to give nurses permissions to the patient medical files but not to payroll. Then the HR department bookkeepers get permissions to the payroll accounts but not medical records. Execs are members of both groups and can see everything. It can be as granular as wanted and have as many groups as needed and the rest is easy.

Your group's policy is what is missing. Your computer is looking for that server so it can log on and get permissions.

I think. Pretty sure, LOL.

I am currently supporting a very large Windows environment and we often get GP log on failures. I simply remove the local profile whilst logged in as admin and then back onto the AD domain as the user which copies down a new profile. Never heard of it outside the Enterprise environment.

What happens if you log in with a different local account?

Local policy still applies if a computer is not part of a domain. You can run gpresult /r on any device and take a look.

[NeverSure]

Group policy is part of AD. It's really slick in that the admin can make groups on the server and assign permissions to each group. Then all he has to do is join a user to that group and it inherits the permissions of the group. This makes it easy in a hospital to give nurses permissions to the patient medical files but not to payroll. Then the HR department bookkeepers get permissions to the payroll accounts but not medical records. Execs are members of both groups and can see everything. It can be as granular as wanted and have as many groups as needed and the rest is easy.

Your group's policy is what is missing. Your computer is looking for that server so it can log on and get permissions.

I think. Pretty sure, LOL.

I am currently supporting a very large Windows environment and we often get GP log on failures. I simply remove the local profile whilst logged in as admin and then back onto the AD domain as the user which copies down a new profile. Never heard of it outside the Enterprise environment.

What happens if you log in with a different local account?

Local policy still applies if a computer is not part of a domain. You can run gpresult /r on any device and take a look.

Yes it does. We used to take our laptops home with no problem. However as Para said occasionally that backfires and the local policy is somehow lost and it keeps wanting to join the domain. When that happened we'd usually image the machine. That's what I first suspected happened here - something corrupted. I was also suspicious as to whether the installation was genuine and the same as said so.

I was wrong in my initial assumption but he did have something go wrong in that his computer was looking for Active Directory and group permissions. It would appear. It wasn't decided what it was so we'll always wonder.

Para, to answer your question, group policy, to the best of my knowledge, doesn't apply to a machine but rather an authorized user. Employees of our hospital could roam to any workstation and log on with their user/pass and get all of their files and permissions from the server. They were then responsible to log out when they finished. However I have seen a workstation want to stay logged onto the domain controller server after leaving and be in the same position that the OP was. Something corrupted.

So it's all just curious and interesting is all.

Cheers

Edited June 25, 2015 by NeverSure

[Para]

Para, to answer your question, group policy, to the best of my knowledge, doesn't apply to a machine but rather an authorized user. Employees of our hospital could roam to any workstation and log on with their user/pass and get all of their files and permissions from the server. They were then responsible to log out when they finished. However I have seen a workstation want to stay logged onto the domain controller server after leaving and be in the same position that the OP was. Something corrupted.

So it's all just curious and interesting is all.

Cheers

Absolutely correct. Its the profile (user account) that gets screwed up so when you log in and the OS tries to ensure all local GP's are up to date, fails and kicks you out. Problem is often your AD profiles becomes corrupt so stopping you roaming as every time you log in a new machine AD copies down your server profile and fails. You have to (in an AD environment) remove the profile from control panel, physically delete the c:\users\profile_name and also remove it from HKLM\profile list.

I wonder if in this case its simply the Group Policy Client service is not set to auto start?

[dddave]

Just to report back; now 5 days after my "Group Policy" issue was resolved. No GP pop-ups since; computer operating normally.

I wonder if in this case its simply the Group Policy Client service is not set to auto start?

My Google results suggested this was the most likely culprit. A WIN-7 update had recently installed and this process may not have installed properly.

[NeverSure]

I'm glad to hear this. It's sure a lot easier to have it fix itself. Did you uninstall the updates and either leave it or reinstall them, or did it just start working? I agree it was probably what you think it is and changes in startup services and programs are actually done by editing the registry but we often have a GUI that will do it.

[NeverSure]

Para, to answer your question, group policy, to the best of my knowledge, doesn't apply to a machine but rather an authorized user. Employees of our hospital could roam to any workstation and log on with their user/pass and get all of their files and permissions from the server. They were then responsible to log out when they finished. However I have seen a workstation want to stay logged onto the domain controller server after leaving and be in the same position that the OP was. Something corrupted.

So it's all just curious and interesting is all.

Cheers

Absolutely correct. Its the profile (user account) that gets screwed up so when you log in and the OS tries to ensure all local GP's are up to date, fails and kicks you out. Problem is often your AD profiles becomes corrupt so stopping you roaming as every time you log in a new machine AD copies down your server profile and fails. You have to (in an AD environment) remove the profile from control panel, physically delete the c:\users\profile_name and also remove it from HKLM\profile list.

I wonder if in this case its simply the Group Policy Client service is not set to auto start?

We agree. I will say that it was hammered into me to never delete a profile but rather inactivate it. I don't know since I never did it but apparently there can be resources that belong to that owner that no one else can find. Again I don't know because that never happened due to inactivating instead.

Thanks, It's been a good discussion after I got my nose into the right direction.

Cheers.

[wellred]

Lots of lovely mcitp memories coming back.

Sent from my iPhone using Tapatalk

[jcisco]

Para, to answer your question, group policy, to the best of my knowledge, doesn't apply to a machine but rather an authorized user. Employees of our hospital could roam to any workstation and log on with their user/pass and get all of their files and permissions from the server. They were then responsible to log out when they finished. However I have seen a workstation want to stay logged onto the domain controller server after leaving and be in the same position that the OP was. Something corrupted.

So it's all just curious and interesting is all.

Cheers

Absolutely correct. Its the profile (user account) that gets screwed up so when you log in and the OS tries to ensure all local GP's are up to date, fails and kicks you out. Problem is often your AD profiles becomes corrupt so stopping you roaming as every time you log in a new machine AD copies down your server profile and fails. You have to (in an AD environment) remove the profile from control panel, physically delete the c:\users\profile_name and also remove it from HKLM\profile list.

I wonder if in this case its simply the Group Policy Client service is not set to auto start?

We agree. I will say that it was hammered into me to never delete a profile but rather inactivate it. I don't know since I never did it but apparently there can be resources that belong to that owner that no one else can find. Again I don't know because that never happened due to inactivating instead.

Thanks, It's been a good discussion after I got my nose into the right direction.

Cheers.

That shouldn't be an issue as long as the default user profile and associated registry settings are in a good state. Actually just the registry, as the user creation process when creating an admin user will receive the ability to access all resources. If the resource is held with restricted permissions those too can be easily dismissed and taken control of.

But deleting user and other login profiles is pretty extreme and shouldn't be needed.