We help IT Professionals succeed at work.

What happens when a user logs on to a domain?

CreamyG asked
Medium Priority
Last Modified: 2008-02-01

We're trying to troubleshoot a problem which involves slow logon times for a number of users when logging on to our domain. I have a rough idea of what happens when a user attempts a logon but I am trying to find some sort of Step-by-Step process guide as to what goes on during the log on process so that I can work through this problem logically.

All our clients are XP SP2 and our DCs are 2003. If someone could point me in the right direction of finding such a step by step guide, it would be much appreciated.

Watch Question


Have a look in control panel administrative tools event viewer applications>errors.
You may see one or more but one in particular that points to this>>
When you log off a computer that is running Microsoft Windows Server 2003, Windows XP, Windows 2000, or Windows NT 4.0, you may experience one or more of the following symptoms: • A user profile does not unload.
• A roaming profile does not reconcile.
• You reach the registry size limit (RSL).
• You take a long time to log off, and you receive the following message:
Saving settings….
• Backups may not start. There are no errors in the Application log from the Backup program. However, if you see event ID 1524, the Backup has not run.
Additionally, you may receive one or more of the following event messages in the application event log, depending on your operating system.

Windows Xp
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1517
Windows saved user ComputerName\UserName registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use. This is caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1524 Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

To resolve this issue, use the Microsoft User Profile Hive Cleanup Service (UPHClean). UPHClean monitors the computer while Windows is unloading user profiles and forces resources that are open to close. Therefore, the computer can unload and reconcile user profiles.

To download and install UPHClean, visit the following Microsoft Web site:
http://www.microsoft.com/downloads/details.aspx?FamilyId=1B286E6D-8912-4E18-B570-42470E2F3582 (http://www.microsoft.com/downloads/details.aspx?FamilyId=1B286E6D-8912-4E18-B570-42470E2F3582)
Author of the Year 2011
Top Expert 2006
Hi CreamyG,
Are you running any 'batch' commands when your users logon/logoff?
Our network is set up so that any logon causes certain 'checks' to be run (AV, Windows Update, etc) and the logon and logoff times have dramatically increased since we started doing this.
It actually only takes about 15-30 seconds, but that seems like a lot to most users.

Part of our situation is that we're a huge geographic WAN with over 2,000 hosts and 150 remote WAN sites.

If you can post more specifics (nothing identifiable) about your network, I'll try to give you more info than a 'Google Cut & Paste'.

Post back when you can.


Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts


Hiya Vic

Yup, we are running batch jobs, or to be more specific, each user is assigned a kix script to run depending on their department. The kix script maps network drives, and printers. On top of this, we have quite a number of policies assigned to user OUs which restrict wallpaper, set network shares etc, etc. Some users seem to be ok, some user's logons have been timed at up to 4 minutes (!!!) These are wired connections, our wireless certificate encrypted network can take up to 6 minutes to logon sometimes.

Now, we have 4 domain controllers in the UK, and 2 in the US. They have been defined in Sites and services. What often happens, a local UK user will be authenticated by a DC in the states which is when the slow logon is most noticeable. We have about 600 users in the UK and 100 in the US, but I find it strange that 4 local domain controllers can be too busy so as to force the user to be logged on by a US DC.

This is why I've been looking for some form of a step by step guide, so I can determine what order things are processed after Kerberos has done its job, eg; does it run policies first, then scripts...etc etc.

Author of the Year 2011
Top Expert 2006

tripple07 - nice link.
Good info.
I just glanced over this and right away think of bootvis.  Glancing has been getting me in trouble lately, though.  So don't get mad if I missed something.  I just have other things to do too!


I would check the policies to see if there is any causing issues, to do this run the resulant set of policies, it will highlight any issues with the policy section of the login.



Thanks for the input so far guys, I am currently rushing around like a madman at work so I will read your posts as soon as hell breaks for tea.

I had an issue like this with group policy at one point.  For me it was slow the first time the computer came up, but if I restarted the computer and login it would be quite a bit faster.  Also, if I turned the power on and let it sit there for a few minutes before logging in, it would come up quickly.

If it's a group policy issue, bootvis may not help you.  Otherwise, it's a great tool for troubleshooting slow computer startups.

Can you create a test user/computer with no group policies / scripts and see if it has the delay?  Then apply policies/scripts one at a time and see if a particular one causes substantially longer login time?  VirtualPC is a free download from microsoft and a great way to test on a simulated clean computer (and allows you to quickly revert back from any changes).
PS - I wouldn't wait for tea time.  The devil's a busy man.
There is a good change that the cached credentials have become corrupt, the best way that I have found to take care of this problem is to remove the computer from the Domain, (MAKE SURE THAT YOU HAVE A LOCAL LOGIN FOR THE SYSTEM). Remove the computer, (NOT USER) from AD. Rejoin the computer to the Domain.
darrenakin, I have experienced corrupt cached credentials.  I was getting EventID 14 with a description being "there were password errors using the credential manager.  To remedy, launch the Stored User Names and Passwords control panel applet, and reenter the password for the credential DOMAIN\User.

I found this blog with instructions and a link to resolve it:
Author of the Year 2011
Top Expert 2006

Still interested - and I want to know if 'Hell broke for tea'.
Also interested.  Would like to see if the problem was resolved, or at least narrowed down.
Let me know the solution which has solved the problem.

Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.