Steps to recreate the issue... (Windows 2008 Server - DC, and Windows 7 as the client box)
1) Create a new user in the domain.
Example: user1
2) Set the user's "Remote Desktop Services User Profile" to a network path.
Example: \\myserver\profiles\bullpin
3) Logon with user1 to the remote desktop (SERVER_A), then create a new shortcut to a web page.
Example: http://google.com -> Named: Google
4) Logout with user1.
5) Create a new user in the domain.
Example: user2
6) Set the user's "Remote Desktop Services User Profile" to the same network path.
Example: \\myserver\profiles\bulpin
7) Logon with user2 to the remote desktop (SERVER_A). YOU SHOULD GET AN ERROR!
ERROR: "The Group Policy Client service failed the logon. Access is denied"
Update:
My answer below fixed the issue and everything seemed to work fine. Now I'm looking to find out how can I avoid this in the first place? Without having to change permissions while the error is still up (in the 30 seconds is lasts). Can I change the key's permissions before the user tries to log on?
Note: If I have to load the profile in the hive under HKEY_USERS manually please explain how.
Thanks!
Digging for answers on the web, in logs, etc. I found some interesting things out...
Looking in the log (Windows Logs->Application) of SERVER_A I found the following 2 entries...
Then reading around I got the idea to look into another log on SERVER_A (Applications and Services Logs->Microsoft->Windows->User Profile Service->Operational) and found these entries...
Wondering what the heck it ment to "load" a user's profile into the registry I started messing around and found that the registry hive (Run->regedit.exe, or Windows Key+R->regedit.exe) on SERVER_A had a key called "HKEY_USERS". Inside that I could NOT find the referenced GUID!!! So Looking into things I had an idea. Try to connect to the remote desktop as usual, get the error message, BUT DO NOT CLICK OK ON THE ERROR. Just let it sit there. Very quickly (because it times out soon) I hopped over to SERVER_A and refreshed the registry with F5 and sure enough the GUID entry showed up!!! Before that logon error message timed out I right clicked on the GUID "HKU\S-1-5-21-2420121206-1056658499-602520278-4624" and went to "Permissions" and found that this was the problem...
So to resolve the issue I did the following...
I was facing same problem while connecting win 2008r2 RDC.
I fixed the issue by deleting particular user's folder in C:\Users.
This fix worked for me: Rename roaming profile of user with .OLD suffix.
In all computers with the problem, login as ADMIN, right click COMPUTER > PROPERTIES > ADVANCED SYSTEM SETTINGS > USER PROFILES > delete the local profile of the offending user.
Logout and log back in with user, should be fine.
There should be no problem at all if you specify different RDS user profile paths. When users login their ntuser.dat file is mounted (loaded) as
HKU\<SID of user>\.... When the user logs off the hive is unmounted (unloaded) and all changes are written back to the user's ntuser.dat in the profile share.The SID in HKU consists of the domain's unique id + a relative id (RID) provided by the domain's RID Master. See FSMO Roles for more detail.
From time to time unloading the user's registry has its flaws thus possibly causing the RDS profile to go corrupt.