How to Fix “The Group Policy Client service failed the logon” Error?

Group policy is an account management utility in Windows that lets you predefine the terms of use and interaction of user accounts in a certain group. The group can be standard/limited group, administrators group, guest groups, and any other group you have created. These groups will then be guided by the policy you created. The group policy is therefore invoked during login in depending on which group the user belongs.

Several users have reported a login issue. The system becomes slow on some applications and some do not work. After a restart on their PC, they can no longer log in to the system. On entering a password, the system takes way too long to login and after a while it gives back an error stating ‘Group Policy Client service failed the logon: Access denied.’

This article will explain to you how logging in works and why this problem occurs. We will then give you solutions to this problem.

How Logging-In Works and Why a Login Error Occurs?

Winlogon communicates with the Group Policy service (GPSVC) through a call upon system startup for computer policy and with user logon for user policy. The Group policy service then isolates itself into a separate SVCHOST process (it is originally running in a shared process with other services).

Because communications have already been established before the service isolation, Winlogon can no longer contact the Group Policy service, and this results in the error message. This could be due to bad registry calls or a corrupt registry. Usually, this is caused by system updates and upgrades that might mess with the registry. A bad shutdown or startup process can also cause this issue.

This can also happen when you try to logon using a non admin account in a PC that had some applications or drivers that were installed with admin privileges before. These applications will not support non-elevated environments. The most application category that causes this issue to so many people is third party web browsers like Google chrome; which doesn’t need admin privileges to run.

Here are solutions on how you can fix this situation. If you are locked out of your computer completely (you had only one account), then you should try method 3.

1. Edit Registry Using an Administrator Account

By using an administrator account to access and edit the registry, you’re basically correcting or replenishing vital data that could have gone missing or been changed during software updates or system upgrades. This method can reconstruct the necessary framework for the Group Policy Client service to run smoothly, effectively resolving the login errors you’re facing.

Note: Editing the Windows registry incorrectly can cause irreversible system damage. Make sure you follow instructions precisely and back up the registry before making any changes.

1. Press Windows Key + R to open the run command.
2. Type regedit to open the Registry Editor.
3. In the left pane of Registry Editor, navigate to following registry key:

   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gpsvc

   

4. Make sure that this key is intact but do not change anything
5. Navigate to this key:

   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SVCHOST

6. This is the most important path you should look into, as it contains the keys and values referred in step 3.  Below are descriptions what must be present there.
7. There must be Multi-String value called GPSvcGroup.  If it is missing, right click on the panel on the right and create a new multi-string value named GPSvcGroup and assign it value GPSvc.
   
8. Next, you must create a key (a folder) and name it GPSvcGroup – this key normally should be there. To do this, right click on the panel on the right and select New > Key. Name the new key as GPSvcGroup
9. Then open newly-created GPSvcGroup folder/key, right click on the panel on the right and create 2 DWORD values:
   
10. First called AuthenticationCapabilities and you must give it a value of 0x00003020 (or 12320 in decimal)
11. Second is called CoInitializeSecurityParam and it must have value of 1.
    
12. Restart your PC after the changes

2. Take Ownership of Group Policy Registry Key

By taking control of the Group Policy Registry Key and modifying its operational behavior, users effectively resolve communication breakdowns between the Winlogon service and the Group Policy Service.

When Group Policy Client service (GPSVC) shares a process with other services, conflicts can cause it to malfunction during user login attempts. Securing ownership and commanding GPSVC to launch independently from the very start of the system’s operation prevents this clash.

It ensures smooth communication with the login process, hence eliminating the obstacle that leads to the error users have been facing. 

1. Press Windows Key + R to open run command.
2. Type regedit in Run dialog box and hit enter to open the Registry Editor
3. In the left pane of Registry Editor, navigate to following registry key:

   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gpsvc

   

4. We are now going to take ownership of this key so that we can edit it
5. Right click on the gpsvc (folder) key and select Permissions.
6. The default owner should be TrustedInstaller. Click on Change in the window that appears.
7. Click on Advanced in Select User or Group window.
8. Click Find Now.
9. Now we have the search results here, pick your user name, click OK.
10. Then click OK in Select User or Group window as well. Now you have successfully changed the ownership.
11. Once you’ve successfully taken ownership of registry key, close Registry Editor. Open elevated or administrative Command Prompt/PowerShell (press start button, type cmd, and open it as administrator) and type-in the following command, then press the Enter key:

    reg add “HKLM\SYSTEM\CurrentControlSet\Services\gpsvc” /v Type /t REG_DWORD /d 0x10 /f

    

12. You must receive “The operation completed successfully” message. If you’ve not taken ownership of the registry key mentioned in step 3, the command will not execute and you’ll get Access is denied message.
13. Lastly, restart your PC.

3. Use System Restore Point

Restoring your system to a point where it previously worked without the error will solve the issue. This feature rolls back system files, installed applications, Windows Registry, and system settings to a previous date when everything functioned correctly. If Group Policy errors started after a certain update or installation, this method could erase those changes, potentially solving the problem without affecting your personal files.

Option 1: Log into the System with Another Account

1. Right click the start button and choose system.
2. From the left column choose System Protection.
3. Click the System Restore button.
4. Click the Next button
5. You may need to check the box at the bottom that says, “Show more restore points“
6. Pick a date/point in time before the problem occurred and restore your system. Your PC will revert to that date and restart (you may lose your programs but your data will be intact).

Option 2: If You Only Have One Account

By going into the advanced startup options, you can restore your PC to the previous point.

1. Press the Shift button then restart your PC (you should have the shutdown button on the bottom right corner of your login screen, right click on it to get the restart option)
2. Windows will then restart and display a Choose an option menu.
3. Select Troubleshoot > Advanced options > System Restore
4. Choose a date in time before the problem occurred and restore your system. Your PC will revert to that date and restart (you may lose your programs but your data will be intact).

If your system error persists or you did not have a restore point, you can reset your system. This will however clear all your apps but your data will be kept. Use the advanced startup options but instead choose Troubleshoot > Reset this PC > Keep my files.

4. Reset Google Chrome

Since this is issue is caused by apps that do not need admin permission to install e.g. Google Chrome. The program does not require administrator privileges for installation, which sometimes leads to inconsistencies with system policies if installed under admin credentials.

By resetting or uninstalling and then re-installing Chrome without elevated privileges, you align the browser’s operation within the non-admin user context, potentially resolving the conflict that causes login failures.

1. Press Windows Key + R to open run
2. Type appwiz.cpl and press enter to open the programs and features window.
3. Look for Google chrome and uninstall it.
4. Lastly, reinstall it without using admin privileges

5. Turn Off Fast Startup

When fast start-up is enabled, your PC hibernates rather than fully shutting down, which, although quickens startup times, can sometimes lead to incomplete termination of system processes and create login conflicts. Turning off Fast Startup ensures a complete shutdown and system initialization, hence potentially resolving any Group Policy login errors.

1. Click on Start.
2. Go to Settings.
3. Click on System icon.
4. Go to the Power and sleep section and click on additional power settings.
5. Click on choose what the power buttons do.
6. Scroll down to Shutdown settings.
7. Uncheck the box next to turn on fast startup.
8. Click Save changes.
9. Restart your PC.

6. Restart Group Policy Service and Reset Winsock

The Group Policy Service is integral for applying various settings across your computer, and a restart can make sure it operates smoothly, without any issues that may prevent user logon. Meanwhile, resetting Winsock – a crucial part of your PC’s networking software – is similar to clearing the cobwebs, potentially resolving any network-related errors that could be impacting the Group Policy Client service and the overall login process.

By performing these steps, you essentially direct these services back on track, often dealing with the login error in the process.

1. Press Windows Key + R to open run command.
2. Type services.msc and hit enter.
3. Search for Group Policy Client and right click on the services and go to properties.
   
4. Change its Startup type to Automatic, Click on the Start button, and then Apply > OK.
5. Right click on the Start button and select Command Prompt (Admin) or Powershell (Admin).
6. Type the following command and hit enter:

   netsh winsock reset

   

7. Type exit and hit enter to exit command prompt
8. Restart your PC.

7. Relogging in a Specific Order

Basially, when multiple users log in and out in a predetermined sequence, the system may clear out any inconsistencies or conflicts within the user profiles that could be causing the error. By following the suggested order, you give Windows the opportunity to reset the access parameters for each account, which can sometimes resolve underlying issues preventing successful user logins.

Let’s suppose you have 3 three accounts (or two). One of them is not working where the error comes forward. Here we will refer to the problematic account as Account_Problem and working accounts as Working_1 and Working_2.

Note: You can perform the same ideology even if you don’t have three accounts.

1. First of all, switch all the users so all three are logged in.
2. Now, log off (sign out) each account in order (for example Working_1, Account_Problem, Working_2).

   

3. Now, log into the first working account i.e. Log into Working_1 and try to do some task or play some game.
4. Now log into the second working account i.e. Working_2 and perform some activity there as well.
5. After all the working accounts have been logged in, log into the problematic account i.e. Account_Problem. Now check if the issue is resolved.