[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Ctrl+Alt+Del takes forever to prompt for password

Posted on 2011-03-01
72
Medium Priority
?
11,092 Views
Last Modified: 2012-10-05
This has been happening for awhile; nothing out of the blue triggered it.

We're all connecting to a Domain. When we Ctrl+Alt+del to get to the login screen, it takes quite a few seconds... 5-10+ seconds on a good day.

It even does this after locking our workstation and coming back to it... Ctrl+Alt+del, waiting 5-10+ seconds THEN see the prompt for our Password.

What could be causing this slowness? I've worked in AD Domain environments where it was pretty much instant when you did Ctrl+Alt+del.

We're on an all Windows 2008 R2 environment, including Domain Controllers. We have a local domain controller so bandwidth shouldn't be the issue...

Any clues?
0
Comment
Question by:HospiceChesapeake
  • 35
  • 13
  • 9
  • +4
72 Comments
 
LVL 3

Expert Comment

by:Michael
ID: 35011500
It could very well be a corrupt user profile or a bad network connection. If you can login with different credentials and it's quick, you can rule out the bad network connection.
0
 

Author Comment

by:HospiceChesapeake
ID: 35011508
It happens for all users. As for as 'bad network connection', again, it happens on all workstations/laptops... so it seems to be some settings / network somewhere.
0
 
LVL 3

Expert Comment

by:Michael
ID: 35011514
You may be able to resolve this by changing out the Ethernet cable. If this doesn't work, you may have to test the connectivity from the wall at the computer to the server.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 14

Expert Comment

by:BigBadWolf_000
ID: 35011712
Its a DNS issue..make sure your DHCP server is providing the 1st DNS server as you domain controllers IP
0
 

Author Comment

by:HospiceChesapeake
ID: 35011744
We use our Firewall as our DHCP and the 1st DNS server is our local DC (this is how all of our sites are setup)
0
 
LVL 14

Expert Comment

by:BigBadWolf_000
ID: 35011840
confirm on PC that IPCONFIG /ALL shows the 1st DNS server as your DC
Also do a IPCONFIG /flushdns
0
 

Author Comment

by:HospiceChesapeake
ID: 35011858
Confirmed and done.

Also, mind, you, this isn't segregated to just my machine, it's organization-wide.
0
 
LVL 1

Expert Comment

by:nrg2go
ID: 35011868
I think the question here is what happens behind the scene when you press ctrl+alt+del.  As far as I know all that happens is that the logon screen loads. If I understand your question correctly, you aren't even past the logon screen yet, correct?  

When you look at your logon options, how many domains display?  Are they all valid active and trusted domains?

I would consider the following:
Is it slow because services are still loading in the background?
Is it slow because there is a bogus domain listed as one of the potential logon domains?
Is it slow because a group policy is applying a computer policy to the PC?

What happens if you disconnect the PC from the network and try ctrl+alt+del?


Just a few ideas here - hope one helps.
0
 
LVL 14

Expert Comment

by:BigBadWolf_000
ID: 35011877
yes I understand ...just wanted to make sure :)

ok check to see if a GPO is enabled, make sure to
disable “Always wait for network at computer startup and logon” under Computer Configuration/Administrative Templates/System/Logon.

If thats not the issue...
update the network driver to the latest version (windows 7 certified driver).

0
 
LVL 14

Expert Comment

by:BigBadWolf_000
ID: 35011930
Along nrg2go: recommendation also...remove one of the PCs from the domain....how does Alt+Ctrl+Del respond?
0
 
LVL 1

Expert Comment

by:nrg2go
ID: 35011950
Just boot to safe mode without network support and see what happens.  This will eliminate any network component and and driver related issue.
0
 

Author Comment

by:HospiceChesapeake
ID: 35011962
I actually do have that GPO disabled BigBadWolf.

I have tested with a PC removed and it's instantaneous when I CTRL+ALT+Delete - no delay at all. Which is what tells me it's something to do with the network.

All the drivers are 100% up to date.

We only have 1 domain listed - we don't have any more than 1 domain period.

If I simply disconnect the PC from the network, the CTRL+ALT+DEL is fast...
0
 
LVL 1

Expert Comment

by:nrg2go
ID: 35012055
I assume the event log is of no help.  Need to setup boot debugging to troubleshoot.  This article should get you started - http://support.microsoft.com/kb/833721
0
 
LVL 14

Expert Comment

by:BigBadWolf_000
ID: 35012094
How many users ...what switch are you using, make model?
If one switch unmanaged try restarting the switch
0
 
LVL 14

Expert Comment

by:BigBadWolf_000
ID: 35012124
Check server event logs for any DNS or other errors
0
 

Author Comment

by:HospiceChesapeake
ID: 35012125
We have anywhere from 20-50 users at any given time at this particular location (our businesses location by far)

Now, I'm not entirely sure if it's just 'this office'. We have 5 other locations and I do believe they have the same issue so it seems to be a global thing, not a segregated issue.
0
 

Author Comment

by:HospiceChesapeake
ID: 35012131
BigBadWolf, you mean on the actual domain controller/dns server itself?
0
 
LVL 14

Expert Comment

by:BigBadWolf_000
ID: 35012138
Yes
0
 
LVL 14

Expert Comment

by:BigBadWolf_000
ID: 35012172
Is your DNS servering forwarding to your ISPs DNS
Is there only one DC at your location?
Are all the DCs on the same domain? If yes you are setup as sites (I am assuming all Windows 2008 DCs)
Which DC has all master role (would most likely be 1st DC setup in the org)
0
 

Author Comment

by:HospiceChesapeake
ID: 35012191
We use OpenDNS rather than our providers DNS because of what OpenDNS offers.

We have only one DC/DNS server at each location, except our Datacenter, which no one authenticates to anyways.

They are all on the same domain - we have only one domain. Each site has it's own site name and everything exists within that site.

The primary DC is at our Datacenter so its not one that anyone would authenticate to at a local office.
0
 
LVL 14

Expert Comment

by:BigBadWolf_000
ID: 35012236
On your local DC nic config what IPs are for primary and secondary DNS servers?
I am assiuming all sites care connected via site-2-site vpn or MPLS/etc, different IP subnet for eact site
0
 

Author Comment

by:HospiceChesapeake
ID: 35012254
Each DC is setup so the first Primary DNS is the local for that server, 127.0.0.1 and the primary DNS for the entire domain as the secondary DNS.

Each site has a different IP range... for example this site is 192.168.10.x and another site is 192.168.11.x, so on and so forth. We're connected via VPN tunneling.
0
 
LVL 14

Expert Comment

by:BigBadWolf_000
ID: 35012361
Try changing the 1st DNS on your local DC to its IP address instead of 127.0.0.1
That is a MS recommendation if only 1 DC on the site, yeay 127.0.0.1 is supposed to work too, but MS will suggest you use the machine's IP address

If two DCs then 1st DNS should be second DCs IP
and 2nd DNS should be same DCs IP
0
 

Author Comment

by:HospiceChesapeake
ID: 35012396
So you're saying since I have only 1 IP, I use the local loopback (127.0.0.1) for DNS #1 and the actual IP of the same server for the secondary dns?
0
 

Author Comment

by:HospiceChesapeake
ID: 35012427
I just made that change, setting both the primary and secondary IP to point to the same server and i'm not sure how fast I should see the change, but it didn't seem to make an immediate difference to say the least...
0
 

Author Comment

by:HospiceChesapeake
ID: 35012444
Actually I think I may have become confused.

So, on the DC, it should be Primary DNS the actual IP address. And leave the secondary DNS empty?

What about the DHCP server? Obviously the Primary DNS on that should point to the local dc, but what about the secondary? Should it still point to the other DC as a failsafe?
0
 

Author Comment

by:HospiceChesapeake
ID: 35012480
As a test, I made only the local DC the primary DNS and left the secondary blank, so it only would hit the local DC... and that made no difference :(
0
 
LVL 3

Expert Comment

by:Michael
ID: 35012573
Have you added anything new to the network? Is the whole network running slow or is it just logon? One thing I had a while back ago was someone added an extra cable from a server already plugged into the network creating a loop. It caused much havoc on the network.
0
 

Author Comment

by:HospiceChesapeake
ID: 35012917
Hmm you know, we'll have our up and down moments. We have a Datacenter that we connect to and some days it seems like files open and save fast and some days it's slow. But, it could be because we're on FiOS at this particular location.

There's definitely something not right with the network and pin pointing it is going to be a disaster, I feel it... =\
0
 
LVL 1

Expert Comment

by:nrg2go
ID: 35012992
You mentioned that you "do have that GPO disabled", what GPO were you referring to?
0
 

Author Comment

by:HospiceChesapeake
ID: 35013015
In our primary DOMAIN Group Policy, we have disabled “Always wait for network at computer startup and logon” under Computer Configuration/Administrative Templates/System/Logon."

This has made no difference.
0
 
LVL 1

Expert Comment

by:nrg2go
ID: 35013063
Do you have any start-up logon scripts under the Computer section of any of your GPOs?  The two last things that take place before you press Ctrl-Alt-Del are Apply Computer GPOs then run startup scripts.  I wonder if any scripts are still running.  Again, I would setup debugging to better identify what is happening - probably the first thing Microsoft would ask you to do to start troubleshooting.  Also, Microsoft specifically told me about a month ago that they now recommend 127.0.0.1 instead of using the DNS server's own IP address.  Just throwing that out there.  Their logic was less chance of a problem if you were to ever change IP addresses of the DNS server. Made logical sense to me.
0
 

Author Comment

by:HospiceChesapeake
ID: 35013096
We use Desktop Authority ScriptLogic as our startup script; however, I believe this run's 'after' the login has been initiated. I don't believe we have anything in the GPO itself for startup.

I'm now confused on the DNS server. On the server itself, the Primary should be 127.0.0.1 and the secondary should be what... the same IP? an IP of another DC? what?
0
 
LVL 1

Expert Comment

by:nrg2go
ID: 35013197
Not sure I would understand any reason to put the same server as a secondary.  Do you have a second DNS server in your site or anywhere on your domain you can use?  

The Computer Configuration settings get applied before you ever log onto your PC.  Can you temporarily disable Desktop Authority to test?
0
 

Author Comment

by:HospiceChesapeake
ID: 35013221
Ok, I'll make the secondary another DNS server that we have.

I believe I can totally disable Desktop Authority for myself, so I'll do that and see if that makes any difference but I won't know until tomorrow when I'm back in the office.
0
 
LVL 1

Expert Comment

by:nrg2go
ID: 35013261
Keep in mind td tohat since you have disabled  “Always wait for network at computer startup and logon”, any changes to Group Policy won't be noticed until the second time you logon.  With that disabled, the OS uses cached GPO settings from the last logon session.
0
 

Author Comment

by:HospiceChesapeake
ID: 35013271
Can't I do a gpupdate /force? Right now I'm on a VPN... also, Desktop Authority pushes out updates instantly.
0
 

Author Comment

by:HospiceChesapeake
ID: 35013372
Also that GPO change, was made last week... so it definitely has had time to replicate.
0
 
LVL 1

Expert Comment

by:nrg2go
ID: 35013583
Not sure what change you are referring to, but even if you do a gpupdate /force after removing your PC from Desktop Authority, you will be prompted to reboot for all GPOs to apply, do perform this reboot. Remember, the only GPOs we are concerned about are ones which apply to your computer, not to you as a user, so make certain your PC is removed from Desktop Authority.  Well, I am off to drinking wine and watching college basketball.  Good luck and go Buckeyes.
0
 

Author Comment

by:HospiceChesapeake
ID: 35013595
What I was referring to was removing the script that starts Desktop Authority on my computer upon boot. This is found in AD Users/Computers in the Profile tab - thats the only way to fully remove ones self from Desktop Authority. So, if that doesn't do it... it's something else.
0
 
LVL 14

Expert Comment

by:BigBadWolf_000
ID: 35013712
To clear up the DNS condusion...

Say your local DC IP is 192.168.1.12

In the DC's nic config the first DNS should be 192.168.1.12
The second DNS can be any of the other site DC IPs 192.168.2.xx

In your DHCP the first DNS should be 192.168.1.12

Note: It depends on who you talk to in MS. I worked with their senior engs on the DNS in relation to pure 2008 ADDS and they adviced me on not to use the 127.0.0.1 eventhough it shoiuld work with that config.

0
 

Author Comment

by:HospiceChesapeake
ID: 35013752
Well, it's looking like we can rule DNS out at this rate anyways... nothing I seem to try DNS related is making a difference. Tomorrow we'll see if Desktop Authority plays a role. If it does, then I'm just screwed because we can't get rid of it.. if it's not the problem, then I'm still in the dark.
0
 

Author Comment

by:HospiceChesapeake
ID: 35013924
It just dawned on me that Desktop Authority is 100% user based... so it really shouldn't make any difference with this issue because I could be on any computer, trying any other user, you know?

I'll rule it out tomorrow for sure, but it just doesn't sound like it's going to make a big difference, but you never know...
0
 

Author Comment

by:HospiceChesapeake
ID: 35017048
Ok so I tested with Desktop Authority disabled for my username (because you can't disable it per computer) and I did notice it was slightly faster from a cold boot to do the Ctrl+Alt+del HOWEVER, I then locked the computer and did a Ctrl+Alt+Del and it still took forever - so I'm going to guess it's probably not Desktop Authority....
0
 
LVL 8

Expert Comment

by:dosdet2
ID: 35018631
Are you using roaming profiles?  If so, here are some things to check:  (if not, ignore these)

Too much user profile data:
In Windows Explorer, R-click and check the properties on the folder \Documents & Settings\UserName
Note the size of the folder (in mb or gb) - If you are using vista or win7 you will also need to check \Users\UserName  
If the total of these folders is over 2gb, then that could cause slow loading.  Sometimes users will install itunes or something else that put a lot of data under these folders and roaming profiles has to synchronize all this data with what is in the server profile folder.  

There may also be a lot of Temp & temporary internet files (usually skipped but not always) that it syncs.  Also recent files folder does not clean up itself.  If you find a lot of space used, you may have to find where it is. - Also if you use Outlook, there could very large .ost and .pst files there that are constantly being transferred to the server profile.  You can move then to another server or local location.


Test for a corrupted profile:
Login as a given user.  Make sure that the that user is not logged in anywhere else.
Browse to the server & folder where the roaming profile is located.  Rename the folder for the profile assigned to the given user  ie: ProfileFolder.bad.  
Create another folder with the with the same name as the original folder.
Back at the workstation, log out of the domain normally.  It will take a while to rebuild the profile.
Log back in and test the for the lag.

Roaming profiles need maintenance to keep them efficient, either by admins or user practices.  In different forums I read that many techs do not use them because of this & other troubles.  For us, the convenience outweighs the cost of maintenance.  
My 2¢ worth


0
 

Author Comment

by:HospiceChesapeake
ID: 35019298
We don't use roaming at all.
0
 
LVL 14

Expert Comment

by:BigBadWolf_000
ID: 35019453
Do you map network drives? If yes, remove all mapings, disable any login scripts, restart and try, post results

Also (just a wild shot),
If you have hibernation enabled on the PC, try disabling it.
set the hard disk to never power down and standby to never happen.
0
 
LVL 14

Expert Comment

by:BigBadWolf_000
ID: 35019548
0
 

Author Comment

by:HospiceChesapeake
ID: 35019958
The mapped drives are done after the login occurs, through Desktop Authority. That shouldn't account for the long Ctrl+Alt+Del. Especially when the computer is merely locked.
0
 
LVL 3

Expert Comment

by:Michael
ID: 35027229
Desktop Authority will keep the settings on the computer, you may have to login to a computer (as a test) and remove DA completely, then undo the settings it's already changed. Did you upgrade to a newer DA recently? I've noticed especially with the windows 7 users it was particularly slow, and especially login. I had to go in to each machine to undo most of what it had done to those machines.
0
 

Author Comment

by:HospiceChesapeake
ID: 35028076
The problem is, we cannot remove DA as it's an integral part of our organization. However, I don't mind trying to uninstall it completely just to see if that's the root cause.

I know that Desktop Authority has 8.1 update out. We're still on 8.04 so I've been wondering if updating would help anything out.

But I guess we'll see if its even DA after I test.
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 35042961
is right click slow, and possibly the start button.

I am thinking this could be a context menu handler or an app trying to run from a remote location that doesn't exist.

Are there any other symptomps, Like:
the Start Task Manager context-menu link on the Taskbar is greyed out and Start Task Manager is no longer an option when Ctrl+Alt+Del is pressed.
0
 

Author Comment

by:HospiceChesapeake
ID: 35056151
Nope, none of those issues appear present.
0
 
LVL 3

Expert Comment

by:Michael
ID: 35059285
Did removing DA from your test computer help?
0
 
LVL 1

Expert Comment

by:nrg2go
ID: 35061274
On 03/01/11 04:07 PM, I had asked that he disable DA to test.  If you can't remove or disable it for the computer settings, then at least call DA support and ask if they have seen your issue before.  They have a forum which the question could be asked of others, you just need to have a valid license to access it.  In other words, rule out DA before looking any further please.
0
 

Author Comment

by:HospiceChesapeake
ID: 35063291
I apologize - I meant to uninstall DA altogether on this machine today but had absolutely no opportunity to do so. I will set myself a reminder tomorrow to do so.

With the DA services removed from my machine completely - this should satisfy the test.

In fact - so I won't forget, I'll go ahead and uninstall now, that way first thing in the morning (which is where I always complain the most cause of the first logon taking forever) this will be a good indicator ... ruling out DA immediately.
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 35065133
Let's check a couple things:

Check out this key and see what it's set to, locally:
System Key: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
Value Name: DisableCAD
Data Type: REG_DWORD (DWORD Value)
Value Data: (0 = Require Ctrl+Alt+Delete, 1 = Disable)

Also check out the welcome screen for fast user switching. In your case, you want the welcome screen.

http://support.microsoft.com/kb/281980

How many users are effected??

0
 

Author Comment

by:HospiceChesapeake
ID: 35068954
Ok - I tried deleting Desktop Authority altogether... made no difference at all.
0
 

Author Comment

by:HospiceChesapeake
ID: 35069085
@ChiefIT

DisableCAD currently = 0 (which I assume we want for security reasons)

As for Fast User Switching, the article you lead me to doesn't seem to apply to Windows 7. I did find that within the GPO is something called "Hide entry points for Fast User Switching" which is what they refer to as enabling/disabling it I suppose.

Currently, we have the ability to "switch user" turned on (well, the policy is actually not configured) so that we can switch user over to an admin account as needed.
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 35069761
While looking for the correct reg key, I did see an article about a WIN7 computer that the welcome screen for thirty seconds, (by design). It's stems from having a SINGLE color background on the desktop. Let's see if I can find it again.

YES: here it is:

http://support.microsoft.com/kb/977346
0
 

Author Comment

by:HospiceChesapeake
ID: 35069823
Actually we can already rule this out because a.) it's not the delay 'after' logging in that's the problem, it's the control+alt+delete and then waiting for Username/Password to show up that is the problem. And, B.) we actually use Themes, so we don't have a solid background.

Thanks for the tip though - this could explain some delays on our servers though...
0
 

Author Comment

by:HospiceChesapeake
ID: 35069851
To me, this totally seems like a 'network' related issue for some reason.

Almost like it's going out to find something ... maybe it's pulling GPO information, or DC information, IDK but it's not just me, it's a wide scale issue so it's definitely not a segregated issue.
0
 
LVL 8

Expert Comment

by:dosdet2
ID: 35070309
Here is a shot in the dark.

Open Windows Explorer, Alt to open the top menu, Tools, View tab, under advanced settings - un-check the option "Automatically search for network folders and printers" and see if that makes a difference.

Another thought, do you have any NAS drives mapped to the workstations?  If so, try disconnecting the NAS drive and do a shut-down, then see if things get faster.

One more idea, run MSconfig and stop all programs from loading on boot, If the problem goes away- add them back in - one at a time until the lag returns.  It might give you more clues on where to look.  Please forgive me if you have already tried these.  Just trying to cover all bases.
:-)
0
 
LVL 8

Expert Comment

by:dosdet2
ID: 35070326
I had another thought, check in the \Windows\tasks folder and see if there are any tasks that are set to run on boot-up.
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 35070570
If it were a network related issue, the slowness would come when logging in, (as in the case of the solid color desktop). I have seen it too many times before where after the splash screen that loads the third party drivers, you get (opening network connection). ..

Maybe a verbose logon could help you troubleshoot what the hang is.

1. Open regedit and goto:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Policies\System

2. In right-side pane create/modify DWORD value VerboseStatus and set its value to:

0 - To Disable Verbose Status Message
1 - To Enable Verbose Status Message

----------------------------------------------

To me, this sounds like the CTRL ALT DEL Context menu handler. A context menu handler for right click brings up a menu that allows you to copy/paste etc... The context menu handler for CTRL ALT DEL should bring up the logon screen. Sometimes these Context menu handlers get hosed by third party software.

0
 

Author Comment

by:HospiceChesapeake
ID: 35070607
@dosdet2 - I cannot seem to locate the Automatically search for network folder and printers in Windows 7 where you described it to be.

We have no NAS drives installed at all on these laptops / desktops.

I'll give the MSConfig a try - but again, I'm thinking it's network related. Also, I checked and there are no scheduled tasks.

I did have a thought that maybe everyone can look at... we use a 'custom' User profile picture. Could THIS be causing the slow down? What if I disable this custom picture and see what happens??
0
 
LVL 8

Expert Comment

by:dosdet2
ID: 35070689
At this point anything is worth a try if just to gain further clues or eliminate a possibility.  

What I was thinking about in the MSconfig was a third party program loading an "updater' module that was trying to downloading updates.   Or maybe an anti-virus checker or similar program that has central management.

0
 

Author Comment

by:HospiceChesapeake
ID: 35070699
Let me elaborate a bit.

The GPO is Computer Config. > Admin Templates > Control Panel, User Accounts and "Apply the default user logon picture to all users" we have this enabled to show our company logo.

It's a relatively small file, so I really don't see why this would be any impact. But, I suppose I could try turning it off and see what happens... right?
0
 
LVL 8

Expert Comment

by:dosdet2
ID: 35070718
The Automatically search function was from XP as I don't have a Win7 station handy.  I hoped it would be in a similar place.
0
 

Accepted Solution

by:
HospiceChesapeake earned 0 total points
ID: 35111930
I discovered the problem was Desktop Authority Password Self-service. It's a tool we use for users to reset their own password and unlock their own account and they've since fixed the issue in a newer version.

Thanks all for the help!
0
 

Author Closing Comment

by:HospiceChesapeake
ID: 35145559
Discovered the reason for this problem on my own by chance - happened to be upgrading that particular piece of software and vuala, problem was resolved.
0
 

Expert Comment

by:ExecTech24
ID: 38468450
Hospice, this software .. it didn't happen to be SpecOps Password Client was it?
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
Transferring FSMO roles is done when an admin wants to split roles between certain Domain Controllers or the Domain Controller holding the Roles has been forcefully demoted using dcpromo / forceremoval
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question