Slow Logon/Group Policy

[RingHatters]

Hi people,

I've done a search on this topic and only found a forum from 2004 so i thought I'd ask again...

We run a smallish LAN (90 users) and we seem to have a problem across the site with slow logons. After typing the username and password - the logon can take upto 5 minutes - and normally stops on the 'Applying computer settings' screen.

We are a AD domain and we do use Group Policies - but we have only just started having this problem so I'm not sure what is causing this.

We don't do anything clever with the GPs - just a bit of security and setting up WSUS. We also use DHCP - so eadch client is given the DNS server IP address through DHCP (I read that is sometimes a problem).

Anyone shed any light on this?

Thanks
A

 

[gavm99]

It sounds like a DNS problem to me.

Can you confirm the DNS servers set on each client via DHCP are internal, valid and respond.

Let me know your findings.

Thanks.

 

[RingHatters]

Hello Gav,

I've just done a IPCONFIG /ALL on some random machines. All PCs tested indicate that the DNS servers are indeed internal servers and these DNS servers ping OK.

It won't matter we have two DNS servers set through DHCP will it?

I have to admit I've just noticed it seems my PC (and my PC only) is immune to this problem. I hadn't really noticed - but my PC flies through the logon seqeunce.

 

[pgaliardo]

Being that your machine doesn't have the problem should help in your troubleshooting. Is you DNS set up the same as the problem machines? Are you using a local profile and others using roaming? Is your machine simply faster than the others? Have a user that is having the problem log onto your machine and see if his logon is any faster.

 

[gavm99]

Your not on a switch which is different to all the other users?

"Nobody cares how it works, as long as it works

 

[58sniper]

The size and number of GPOs can also greatly impact the logon time. By default, GPOs are about 2MB in size. So - if there are a bunch, that could slow things down a little.

I'm still inclined to think this is a DNS issue. Are all users in one physical location? If not, are they hitting the right DC? Do you have more than one DC and more than one GC?

Pat Richard, MCSE MCSA:Messaging CNA
Microsoft Exchange MVP

 

[RingHatters]

Hi everyone,

Thanks for the help on this. These are the answers...

Q: Is your DNS set up [on my machine] the same as the problem machines?
A: Yes

Q: Are you using a local profile and others using roaming? A: No - everyone uses local profiles.

Q: Is your machine simply faster than the others?
A: If anything - my machine is the same spec or slower than all the other PCs.

Q: Your not on a switch which is different to all the other users?
A: We have 6 identical switches in the cabinet - and I know I am on the same switch as my collegue - and he has the problem.

Q: Are all users in one physical location?
A: Yes. And we should all should be getting the same settings from DHCP as well.

Q: Do you have more than one DC and more than one GC?
A: Yeah - we have two DC (and both IP addresses are supplied via DHCP for the DNS settings).

Q: The size and number of GPOs can also greatly impact the logon time. By default, GPOs are about 2MB in size. So - if there are a bunch, that could slow things down a little.
A: Yeah - we have three GPs that we roll out to all users (1x firewall settings, 1x WSUS settings and 1x Default Domain settings). I was wondering if it was one of these GPOs that was causing the problem - so for a test group of three users - for a temperary time - I have unlinked all GPOs except the Default Domain Settings. This hasn't seem to make a difference. I've also changed the attribute 'Always wait for the network at computer startup' to enabled - but this just means the boot process takes longer to get to the Logon screen (rather than wait after the logon screen).

Sorry for the long post - hope your all still awake after reading that!!

 

[RingHatters]

Just a quick bump on the off chance anyone has any ideas...?

 

[RingHatters]

Just a quick update:

1) Every PC in the company has this problem (except mine!)
2) We all get our DNS settings from DHCP.
3) All clients look at a local DNS server via DHCP.
4) All clients use different switches around the building.
5) It seems that on a test PC - even if all GPs are disabled - it doesn't make a difference to the amount of time taken to logon. It still takes 4 or 5 mins.
6) If the network cable is unplugged - logon is instantatious (spl!).
7) No errors in event viewer of clients.

 

[RingHatters]

Also:

1) NiC drivers on all PCs are different (all PCs are Dells - but different chipsets (some Intel, some Broadcomm etc)) so can't tie this down to NiC drivers.

I'm pulling my haor out with this!!

 

[pgaliardo]

Have you had another user log on using your machine? At least you can then narrow it down to hardware or user issue.

 

[karlisi]

I have almost the same problem, except logons are slow only if computer was not turned on some days (more than two, I think, because there are no problems after weekends). If computer is turned on every day, logon is fast. And if computer is not connected to network, logon is fast.

Perhaps there is an explanation for this difference (but this is only my version).

When PC is not connected to network, logon is based on cached credentials, registry and files settings are as they were set by group policies on last connection to domain - logon is fast. When PC is connected, Windows on logon checks for GP in domain, goes trough all settings, compares with these in GP and changes if needed - logon is slow.

If computer is turned on every day, Windows checks only for policy changes, not processing all settings - fast logon. If computer was not turned on some time (I believe there is some timeout mentioned in Windows documentation), it processes all settings - slow logon.

The only problem - how to find exactly which part of GP slows down the process.

===
Karlis
ECDL; MCSA

 

[RingHatters]

Quote: Have you had another user log on using your machine? At least you can then narrow it down to hardware or user issue.

Hi again.

This gets more weird. If I log in on my machine - everytime the logon is really quick - no problems at all. If I get other users to log on to my machine though - 8 times out of ten the logon is slow. On a couple of occasions the logon is ok though. I've noticed once a user is logged on, if they user logs off (as opposed to restarting the PC) the log on it nice and quick though.

Everyone in the company uses DHCP to get network settings and everyone uses the same GPOs. I'm using the same setup as everyone else. I am an Administator - but then my collegue is also an Administrator and he has troubles.

It also seems if I log on anywhere else - the logon is really quick. This is the case even on machines where other users have problems.

Think I may take up a career in Cake Decorating or something

 

[pgaliardo]

So it certainly seems to be a user issue. Are you a member of a group that is being denied any of these policies? Perhaps if you are, you can start combing through that policy to see what is causing the delay. Has anything changed on your network lately? We had an issue once with Microsoft Word taking forever to open for certain users. After months, I finally found a setting in an Office policy we were running that was looking for a network share on a file server that no longer existed. I changed the share to the correct name and it fixed the problem.

I know it can be like finding a needle in a haystack, but when you do get it resolved, I think it will be more rewarding than Cake Decorating!

 

[RingHatters]

Thats the weird thing - we run a pretty vanilla AD setup - and I'm in the same group as everyone else. My results after running gpresult are the same as other users that are having the slow logon problem.

We haven't made any network changes lately, DNS has not changed lately blah blah blah.

I've also as a test just built a fresh PC with XP SP2 and all patches - and who ever logs onto that PC logs on as expected - quickly. First time is a bit sluggish - but after that I've had five users log on and each user logs on really fast. That counts out users as being the problem in my head - and makes me think the problem could be to do with, erm, else!

 

[gavm99]

Ok, so assuming it is a PC issue how about using one of the PC's which has the problem and doing a System Restore on it to how it was before the problem occured?

----------------------------------------
"Nobody cares how it works, as long as it works

 

[LiverpoolFan]

Have you tried removing one of the offending machines (ensuring you know the local administrator password first (I have seen people who have done this and have not )) from the domain and re-added it?

It may be worth trying that if your investigations lead you to believe it is machine related and a newly built machine works okay.

Just a thought.

 

[RingHatters]

Hey!

I fixed this - at last.

The annoying part about this is the problem turned out to be the first thing I tested 2 weeks ago! Grrrr! Talk about two weeks wasted.

Anyway - in my case the problem was indeed Group Policies. I have a GPO that just deals with WSUS and that's it. It was this GPO that was causing the troubles. I didn't realise that the GPRESULT command has a switch (/Z) called Super Verbose mode - that gives loads of info about when and how the various policies are run. I wish I had known about the switch two weeks ago ( ) because using it enabled me to see that the WSUS policy was all messed up and was setting verious settings hundreds of times (instead of once).

Glad thats sorted!

 

[gavm99]

That is quality you finally got to the bottom of it, good work!

----------------------------------------
"Nobody cares how it works, as long as it works