Unable to log in to Windows because “The Group Policy Client service failed the logon. Access is denied.”

When trying to log in to Windows (in this case Windows 7 using a domain account) you may receive the following error

This particular situation occurred after a reboot following the installation of the latest Windows updates.

There are several suggestions out there to solve this problem, some more drastic than others. The most common root cause seems to be a problem with a corrupt registry. Specifically, several guides have you log in to the system with a separate local administrator account and then check and modify registry settings located at these locations:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gpsvc
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SVCHOST

In this case there were no problems with these registry settings, so a different solution was needed.

It was discovered that the user account had both a ntuser.man file and a ntuser.dat file, located in the root of the affected users profile folder (C:\Users\username).  Depending on the account type, there should only be one or the other.  It is most common to have a .dat rather than a .man which was true for this specific user account. The ntuser.man file was also very small compared to the ntuser.dat file.

The solution was to log in with a separate local administrator account and then move/rename the ntuser.man file while leaving the ntuser.dat file untouched.

That allowed the user to log in again with no loss of data or Windows settings.