Slow remote logon on Windows 7 PC's

Hi Experts,
We have a domain full of windows 7 notebokks and desktops, they all log in nice and fast while connected to the domain, but will slow down horrendously when logging in remotely (before VPN is fired up etc).
Is there a group policy that can be set to ignore looking for the domain and use cached credentials without a delay.
Stuzza71Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

2CsCommented:
Hi Stuzza,

Do you have any GPO in place at the moment under:

Administrative Templates=>Network/System?

If so can you post the settings, you can obtain these by opening Group Policy Management, opening the GPO and then clicking the 'Settings' tab, copy and paste that here.

Al
0
Stuzza71Author Commented:
Hi Al,
Settings are below

Win 7 Default
Data collected on: 12/04/2010 4:50:10 PM hide all

Generalhide
Detailshide
Domain xxxxxxxxxxxx
Owner xxxxxxxxxxx\Domain Admins
Created 20/08/2009 2:56:38 PM
Modified 22/03/2010 2:26:00 PM
User Revisions 5 (AD), 5 (sysvol)
Computer Revisions 31 (AD), 31 (sysvol)
Unique ID {84B976B7-201D-4E87-8659-7B24E8619E75}
GPO Status Enabled

Linkshide
Location Enforced Link Status Path
Win 7 PC's No Enabled xxxxxxxxxxxx/Win 7 PC's

This list only includes links in the domain of the GPO.
Security Filteringhide
The settings in this GPO can only apply to the following groups, users, and computers:Name
NT AUTHORITY\Authenticated Users

WMI Filteringhide
WMI Filter Name None
Description Not applicable

Delegationhide
These groups and users have the specified permission for this GPOName Allowed Permissions Inherited
NT AUTHORITY\Authenticated Users Read (from Security Filtering) No
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Read No
NT AUTHORITY\SYSTEM Edit settings, delete, modify security No
xxxxxxxxxx\Domain Admins Edit settings, delete, modify security No
xxxxxxxxxx\Enterprise Admins Edit settings, delete, modify security No

Computer Configuration (Enabled)hide
Windows Settingshide
Scriptshide
Startuphide
Name Parameters
\\xxxxxxxxxxxx\netlogon\BackgroundWin7.bat  

Shutdownhide
Name Parameters
\\xxxxxxxxxx\netlogon\BackgroundWin7.bat  

Security Settingshide
Local Policies/User Rights Assignmenthide
Policy Setting
Load and unload device drivers S-1-5-32-547, xxxxxxxxxx\Domain Admins, xxxxxxxxxxxx\Domain Users
Profile system performance wdiservicehost, domain admins, BUILTIN\Administrators
Shut down the system BUILTIN\Users

Local Policies/Security Optionshide
Deviceshide
Policy Setting
Devices: Unsigned driver installation behavior Silently succeed  

Interactive Logonhide
Policy Setting
Interactive logon: Number of previous logons to cache (in case domain controller is not available) 25 logons

Shutdownhide
Policy Setting
Shutdown: Allow system to be shut down without having to log on Enabled

Administrative Templateshide
Network/Network Connections/Windows Firewall/Domain Profilehide
Policy Setting
Windows Firewall: Allow remote administration exception Enabled
Allow unsolicited incoming messages from: 172.xx.64.0/24
Syntax:
Type "*" to allow messages from any network, or
else type a comma-separated list that contains
any number or combination of these:
IP addresses, such as 10.0.0.1
Subnet descriptions, such as 10.xxx.3.0/24
The string "localsubnet"
Example: to allow messages from 10.0.0.1,
10.0.0.2, and from any system on the
local subnet or on the 10.3.4.x subnet,
type the following:
10.0.0.1,10.0.0.2,localsubnet,10.3.4.0/24
 
Policy Setting
Windows Firewall: Allow Remote Desktop exception Enabled
Allow unsolicited incoming messages from: 172.29.64.0/24
Syntax:
Type "*" to allow messages from any network, or
else type a comma-separated list that contains
any number or combination of these:
IP addresses, such as 10.0.0.1
Subnet descriptions, such as 10.2.3.0/24
The string "localsubnet"
Example: to allow messages from 10.0.0.1,
10.0.0.2, and from any system on the
local subnet or on the 10.3.4.x subnet,
type the following:
10.0.0.1,10.0.0.2,localsubnet,10.3.4.0/24
 

Printershide
Policy Setting
Disallow installation of printers using kernel-mode drivers Disabled

System/Error Reportinghide
Policy Setting
Configure Error Reporting Enabled
Do not display links to any Microsoft provided 'more information' web sites. Enabled
Do not collect additional files Enabled
Do not collect additional machine data Enabled
Force queue mode for application errors Disabled
Corporate upload file path: \\xxxxxxxxx\IT$\ErrorReports
Replace instances of the word 'Microsoft' with: xxx IT Support
 
Policy Setting
Display Error Notification Disabled

System/System Restorehide
Policy Setting
Turn off Configuration Disabled
Turn off System Restore Disabled

Windows Components/Internet Explorer/Internet Control Panel/Advanced Pagehide
Policy Setting
Allow software to run or install even if the signature is invalid Enabled

User Configuration (Enabled)hide
Administrative Templateshide
Control Panel/Printershide
Policy Setting
Point and Print Restrictions Disabled
Prevent addition of printers Disabled

Start Menu and Taskbarhide
Policy Setting
Remove and prevent access to the Shut Down command Disabled
0
2CsCommented:
Hi Stu,

What runs from the following file:

Startuphide
Name Parameters
\\xxxxxxxxxxxx\netlogon\BackgroundWin7.bat  

Shutdownhide
Name Parameters
\\xxxxxxxxxx\netlogon\BackgroundWin7.bat  

This is the only thing I can see that would cause the issue, not sure if this file would just be skipped or coudl be causing your delay as it cannot find the server. Are you able to remove this from GPO, update a machine and once confirmed it has completed, remove the machine from the network and test.

Let me know how you get on.

Al
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

Stuzza71Author Commented:
Hi Al,
This script runs a copy of a corporate background bmp for the domain PC's.
I would have thought that it would not persist in locating the server for this bat file.

Stuzza.
0
Stuzza71Author Commented:
Additionally, would there be a way to run this x minutes after logon, and not with the login?
0
2CsCommented:
Is all of your GPO done through the Default Domain Policy or are the GPO items added for each OU?
0
Stuzza71Author Commented:
there are GPO's for diffent OU's
0
2CsCommented:
Try moving a test machine outside of this OU or create a new one with only the deault domain policy applied. Make sure the machine is logged into and restarted a few times and then test to see if the same happens?

Are all of your machines built from the same image or are they using a pre-installed O/s?
0
Stuzza71Author Commented:
I have removed the bat from the GPO. Theoretically if I place it as part of the default logon script it will only execute when connected to the domain. As for those machines that only hit the domain occasionally, well they may just miss out on their new background image.

And yes, they are a built from the same image.

Stuzza
0
2CsCommented:
If the image is not massive, could you not create the script to detect if it is inside your network and if not to goto an external source FTP/HTTP address to download the image?

That way your internal network wont be effect if the machine has to go external to obtain the file.

Al
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 7

From novice to tech pro — start learning today.