Ctrl+Alt+Del takes forever to prompt for password

It could very well be a corrupt user profile or a bad network connection. If you can login with different credentials and it's quick, you can rule out the bad network connection.

It happens for all users. As for as 'bad network connection', again, it happens on all workstations/laptops... so it seems to be some settings / network somewhere.

You may be able to resolve this by changing out the Ethernet cable. If this doesn't work, you may have to test the connectivity from the wall at the computer to the server.

Its a DNS issue..make sure your DHCP server is providing the 1st DNS server as you domain controllers IP

We use our Firewall as our DHCP and the 1st DNS server is our local DC (this is how all of our sites are setup)

confirm on PC that IPCONFIG /ALL shows the 1st DNS server as your DC
Also do a IPCONFIG /flushdns

Confirmed and done.

Also, mind, you, this isn't segregated to just my machine, it's organization-wide.

I think the question here is what happens behind the scene when you press ctrl+alt+del.  As far as I know all that happens is that the logon screen loads. If I understand your question correctly, you aren't even past the logon screen yet, correct?  

When you look at your logon options, how many domains display?  Are they all valid active and trusted domains?

I would consider the following:
Is it slow because services are still loading in the background?
Is it slow because there is a bogus domain listed as one of the potential logon domains?
Is it slow because a group policy is applying a computer policy to the PC?

What happens if you disconnect the PC from the network and try ctrl+alt+del?


Just a few ideas here - hope one helps.

yes I understand ...just wanted to make sure :)

ok check to see if a GPO is enabled, make sure to
disable “Always wait for network at computer startup and logon” under Computer Configuration/Administrative Templates/System/Logon.

If thats not the issue...
update the network driver to the latest version (windows 7 certified driver).

Along nrg2go: recommendation also...remove one of the PCs from the domain....how does Alt+Ctrl+Del respond?

Just boot to safe mode without network support and see what happens.  This will eliminate any network component and and driver related issue.

I actually do have that GPO disabled BigBadWolf.

I have tested with a PC removed and it's instantaneous when I CTRL+ALT+Delete - no delay at all. Which is what tells me it's something to do with the network.

All the drivers are 100% up to date.

We only have 1 domain listed - we don't have any more than 1 domain period.

If I simply disconnect the PC from the network, the CTRL+ALT+DEL is fast...

I assume the event log is of no help.  Need to setup boot debugging to troubleshoot.  This article should get you started - http://support.microsoft.com/kb/833721

How many users ...what switch are you using, make model?
If one switch unmanaged try restarting the switch

Check server event logs for any DNS or other errors

We have anywhere from 20-50 users at any given time at this particular location (our businesses location by far)

Now, I'm not entirely sure if it's just 'this office'. We have 5 other locations and I do believe they have the same issue so it seems to be a global thing, not a segregated issue.

BigBadWolf, you mean on the actual domain controller/dns server itself?

Yes

Is your DNS servering forwarding to your ISPs DNS
Is there only one DC at your location?
Are all the DCs on the same domain? If yes you are setup as sites (I am assuming all Windows 2008 DCs)
Which DC has all master role (would most likely be 1st DC setup in the org)

We use OpenDNS rather than our providers DNS because of what OpenDNS offers.

We have only one DC/DNS server at each location, except our Datacenter, which no one authenticates to anyways.

They are all on the same domain - we have only one domain. Each site has it's own site name and everything exists within that site.

The primary DC is at our Datacenter so its not one that anyone would authenticate to at a local office.

On your local DC nic config what IPs are for primary and secondary DNS servers?
I am assiuming all sites care connected via site-2-site vpn or MPLS/etc, different IP subnet for eact site

Each DC is setup so the first Primary DNS is the local for that server, 127.0.0.1 and the primary DNS for the entire domain as the secondary DNS.

Each site has a different IP range... for example this site is 192.168.10.x and another site is 192.168.11.x, so on and so forth. We're connected via VPN tunneling.

Try changing the 1st DNS on your local DC to its IP address instead of 127.0.0.1
That is a MS recommendation if only 1 DC on the site, yeay 127.0.0.1 is supposed to work too, but MS will suggest you use the machine's IP address

If two DCs then 1st DNS should be second DCs IP
and 2nd DNS should be same DCs IP

So you're saying since I have only 1 IP, I use the local loopback (127.0.0.1) for DNS #1 and the actual IP of the same server for the secondary dns?

I just made that change, setting both the primary and secondary IP to point to the same server and i'm not sure how fast I should see the change, but it didn't seem to make an immediate difference to say the least...

Actually I think I may have become confused.

So, on the DC, it should be Primary DNS the actual IP address. And leave the secondary DNS empty?

What about the DHCP server? Obviously the Primary DNS on that should point to the local dc, but what about the secondary? Should it still point to the other DC as a failsafe?

As a test, I made only the local DC the primary DNS and left the secondary blank, so it only would hit the local DC... and that made no difference :(

Have you added anything new to the network? Is the whole network running slow or is it just logon? One thing I had a while back ago was someone added an extra cable from a server already plugged into the network creating a loop. It caused much havoc on the network.

Hmm you know, we'll have our up and down moments. We have a Datacenter that we connect to and some days it seems like files open and save fast and some days it's slow. But, it could be because we're on FiOS at this particular location.

There's definitely something not right with the network and pin pointing it is going to be a disaster, I feel it... =\

You mentioned that you "do have that GPO disabled", what GPO were you referring to?

In our primary DOMAIN Group Policy, we have disabled “Always wait for network at computer startup and logon” under Computer Configuration/Administrative Templates/System/Logon."

This has made no difference.

Do you have any start-up logon scripts under the Computer section of any of your GPOs?  The two last things that take place before you press Ctrl-Alt-Del are Apply Computer GPOs then run startup scripts.  I wonder if any scripts are still running.  Again, I would setup debugging to better identify what is happening - probably the first thing Microsoft would ask you to do to start troubleshooting.  Also, Microsoft specifically told me about a month ago that they now recommend 127.0.0.1 instead of using the DNS server's own IP address.  Just throwing that out there.  Their logic was less chance of a problem if you were to ever change IP addresses of the DNS server. Made logical sense to me.

We use Desktop Authority ScriptLogic as our startup script; however, I believe this run's 'after' the login has been initiated. I don't believe we have anything in the GPO itself for startup.

I'm now confused on the DNS server. On the server itself, the Primary should be 127.0.0.1 and the secondary should be what... the same IP? an IP of another DC? what?

Not sure I would understand any reason to put the same server as a secondary.  Do you have a second DNS server in your site or anywhere on your domain you can use?  

The Computer Configuration settings get applied before you ever log onto your PC.  Can you temporarily disable Desktop Authority to test?

Ok, I'll make the secondary another DNS server that we have.

I believe I can totally disable Desktop Authority for myself, so I'll do that and see if that makes any difference but I won't know until tomorrow when I'm back in the office.

Keep in mind td tohat since you have disabled  “Always wait for network at computer startup and logon”, any changes to Group Policy won't be noticed until the second time you logon.  With that disabled, the OS uses cached GPO settings from the last logon session.

Can't I do a gpupdate /force? Right now I'm on a VPN... also, Desktop Authority pushes out updates instantly.

Also that GPO change, was made last week... so it definitely has had time to replicate.

Not sure what change you are referring to, but even if you do a gpupdate /force after removing your PC from Desktop Authority, you will be prompted to reboot for all GPOs to apply, do perform this reboot. Remember, the only GPOs we are concerned about are ones which apply to your computer, not to you as a user, so make certain your PC is removed from Desktop Authority.  Well, I am off to drinking wine and watching college basketball.  Good luck and go Buckeyes.

What I was referring to was removing the script that starts Desktop Authority on my computer upon boot. This is found in AD Users/Computers in the Profile tab - thats the only way to fully remove ones self from Desktop Authority. So, if that doesn't do it... it's something else.

To clear up the DNS condusion...

Say your local DC IP is 192.168.1.12

In the DC's nic config the first DNS should be 192.168.1.12
The second DNS can be any of the other site DC IPs 192.168.2.xx

In your DHCP the first DNS should be 192.168.1.12

Note: It depends on who you talk to in MS. I worked with their senior engs on the DNS in relation to pure 2008 ADDS and they adviced me on not to use the 127.0.0.1 eventhough it shoiuld work with that config.

Well, it's looking like we can rule DNS out at this rate anyways... nothing I seem to try DNS related is making a difference. Tomorrow we'll see if Desktop Authority plays a role. If it does, then I'm just screwed because we can't get rid of it.. if it's not the problem, then I'm still in the dark.

It just dawned on me that Desktop Authority is 100% user based... so it really shouldn't make any difference with this issue because I could be on any computer, trying any other user, you know?

I'll rule it out tomorrow for sure, but it just doesn't sound like it's going to make a big difference, but you never know...

Ok so I tested with Desktop Authority disabled for my username (because you can't disable it per computer) and I did notice it was slightly faster from a cold boot to do the Ctrl+Alt+del HOWEVER, I then locked the computer and did a Ctrl+Alt+Del and it still took forever - so I'm going to guess it's probably not Desktop Authority....

Are you using roaming profiles?  If so, here are some things to check:  (if not, ignore these)

Too much user profile data:
In Windows Explorer, R-click and check the properties on the folder \Documents & Settings\UserName
Note the size of the folder (in mb or gb) - If you are using vista or win7 you will also need to check \Users\UserName  
If the total of these folders is over 2gb, then that could cause slow loading.  Sometimes users will install itunes or something else that put a lot of data under these folders and roaming profiles has to synchronize all this data with what is in the server profile folder.  

There may also be a lot of Temp & temporary internet files (usually skipped but not always) that it syncs.  Also recent files folder does not clean up itself.  If you find a lot of space used, you may have to find where it is. - Also if you use Outlook, there could very large .ost and .pst files there that are constantly being transferred to the server profile.  You can move then to another server or local location.


Test for a corrupted profile:
Login as a given user.  Make sure that the that user is not logged in anywhere else.
Browse to the server & folder where the roaming profile is located.  Rename the folder for the profile assigned to the given user  ie: ProfileFolder.bad.  
Create another folder with the with the same name as the original folder.
Back at the workstation, log out of the domain normally.  It will take a while to rebuild the profile.
Log back in and test the for the lag.

Roaming profiles need maintenance to keep them efficient, either by admins or user practices.  In different forums I read that many techs do not use them because of this & other troubles.  For us, the convenience outweighs the cost of maintenance.  
My 2¢ worth

We don't use roaming at all.

Do you map network drives? If yes, remove all mapings, disable any login scripts, restart and try, post results

Also (just a wild shot),
If you have hibernation enabled on the PC, try disabling it.
set the hard disk to never power down and standby to never happen.

Also try this....
http://support.microsoft.com/kb/929135

The mapped drives are done after the login occurs, through Desktop Authority. That shouldn't account for the long Ctrl+Alt+Del. Especially when the computer is merely locked.

Desktop Authority will keep the settings on the computer, you may have to login to a computer (as a test) and remove DA completely, then undo the settings it's already changed. Did you upgrade to a newer DA recently? I've noticed especially with the windows 7 users it was particularly slow, and especially login. I had to go in to each machine to undo most of what it had done to those machines.

The problem is, we cannot remove DA as it's an integral part of our organization. However, I don't mind trying to uninstall it completely just to see if that's the root cause.

I know that Desktop Authority has 8.1 update out. We're still on 8.04 so I've been wondering if updating would help anything out.

But I guess we'll see if its even DA after I test.

is right click slow, and possibly the start button.

I am thinking this could be a context menu handler or an app trying to run from a remote location that doesn't exist.

Are there any other symptomps, Like:
the Start Task Manager context-menu link on the Taskbar is greyed out and Start Task Manager is no longer an option when Ctrl+Alt+Del is pressed.

Nope, none of those issues appear present.

Did removing DA from your test computer help?

On 03/01/11 04:07 PM, I had asked that he disable DA to test.  If you can't remove or disable it for the computer settings, then at least call DA support and ask if they have seen your issue before.  They have a forum which the question could be asked of others, you just need to have a valid license to access it.  In other words, rule out DA before looking any further please.

I apologize - I meant to uninstall DA altogether on this machine today but had absolutely no opportunity to do so. I will set myself a reminder tomorrow to do so.

With the DA services removed from my machine completely - this should satisfy the test.

In fact - so I won't forget, I'll go ahead and uninstall now, that way first thing in the morning (which is where I always complain the most cause of the first logon taking forever) this will be a good indicator ... ruling out DA immediately.

Let's check a couple things:

Check out this key and see what it's set to, locally:
System Key: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
Value Name: DisableCAD
Data Type: REG_DWORD (DWORD Value)
Value Data: (0 = Require Ctrl+Alt+Delete, 1 = Disable)

Also check out the welcome screen for fast user switching. In your case, you want the welcome screen.

http://support.microsoft.com/kb/281980

How many users are effected??

Ok - I tried deleting Desktop Authority altogether... made no difference at all.

@ChiefIT

DisableCAD currently = 0 (which I assume we want for security reasons)

As for Fast User Switching, the article you lead me to doesn't seem to apply to Windows 7. I did find that within the GPO is something called "Hide entry points for Fast User Switching" which is what they refer to as enabling/disabling it I suppose.

Currently, we have the ability to "switch user" turned on (well, the policy is actually not configured) so that we can switch user over to an admin account as needed.

While looking for the correct reg key, I did see an article about a WIN7 computer that the welcome screen for thirty seconds, (by design). It's stems from having a SINGLE color background on the desktop. Let's see if I can find it again.

YES: here it is:

http://support.microsoft.com/kb/977346

Actually we can already rule this out because a.) it's not the delay 'after' logging in that's the problem, it's the control+alt+delete and then waiting for Username/Password to show up that is the problem. And, B.) we actually use Themes, so we don't have a solid background.

Thanks for the tip though - this could explain some delays on our servers though...

To me, this totally seems like a 'network' related issue for some reason.

Almost like it's going out to find something ... maybe it's pulling GPO information, or DC information, IDK but it's not just me, it's a wide scale issue so it's definitely not a segregated issue.

Here is a shot in the dark.

Open Windows Explorer, Alt to open the top menu, Tools, View tab, under advanced settings - un-check the option "Automatically search for network folders and printers" and see if that makes a difference.

Another thought, do you have any NAS drives mapped to the workstations?  If so, try disconnecting the NAS drive and do a shut-down, then see if things get faster.

One more idea, run MSconfig and stop all programs from loading on boot, If the problem goes away- add them back in - one at a time until the lag returns.  It might give you more clues on where to look.  Please forgive me if you have already tried these.  Just trying to cover all bases.
:-)

I had another thought, check in the \Windows\tasks folder and see if there are any tasks that are set to run on boot-up.

If it were a network related issue, the slowness would come when logging in, (as in the case of the solid color desktop). I have seen it too many times before where after the splash screen that loads the third party drivers, you get (opening network connection). ..

Maybe a verbose logon could help you troubleshoot what the hang is.

1. Open regedit and goto:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Policies\System

2. In right-side pane create/modify DWORD value VerboseStatus and set its value to:

0 - To Disable Verbose Status Message
1 - To Enable Verbose Status Message

----------------------------------------------

To me, this sounds like the CTRL ALT DEL Context menu handler. A context menu handler for right click brings up a menu that allows you to copy/paste etc... The context menu handler for CTRL ALT DEL should bring up the logon screen. Sometimes these Context menu handlers get hosed by third party software.

@dosdet2 - I cannot seem to locate the Automatically search for network folder and printers in Windows 7 where you described it to be.

We have no NAS drives installed at all on these laptops / desktops.

I'll give the MSConfig a try - but again, I'm thinking it's network related. Also, I checked and there are no scheduled tasks.

I did have a thought that maybe everyone can look at... we use a 'custom' User profile picture. Could THIS be causing the slow down? What if I disable this custom picture and see what happens??

At this point anything is worth a try if just to gain further clues or eliminate a possibility.  

What I was thinking about in the MSconfig was a third party program loading an "updater' module that was trying to downloading updates.   Or maybe an anti-virus checker or similar program that has central management.

Let me elaborate a bit.

The GPO is Computer Config. > Admin Templates > Control Panel, User Accounts and "Apply the default user logon picture to all users" we have this enabled to show our company logo.

It's a relatively small file, so I really don't see why this would be any impact. But, I suppose I could try turning it off and see what happens... right?

The Automatically search function was from XP as I don't have a Win7 station handy.  I hoped it would be in a similar place.

Discovered the reason for this problem on my own by chance - happened to be upgrading that particular piece of software and vuala, problem was resolved.

Hospice, this software .. it didn't happen to be SpecOps Password Client was it?