Solved

Ctrl+Alt+Del takes forever to prompt for password

Posted on 2011-03-01
72
8,286 Views
Last Modified: 2012-10-05
This has been happening for awhile; nothing out of the blue triggered it.

We're all connecting to a Domain. When we Ctrl+Alt+del to get to the login screen, it takes quite a few seconds... 5-10+ seconds on a good day.

It even does this after locking our workstation and coming back to it... Ctrl+Alt+del, waiting 5-10+ seconds THEN see the prompt for our Password.

What could be causing this slowness? I've worked in AD Domain environments where it was pretty much instant when you did Ctrl+Alt+del.

We're on an all Windows 2008 R2 environment, including Domain Controllers. We have a local domain controller so bandwidth shouldn't be the issue...

Any clues?
0
Comment
Question by:HospiceChesapeake
  • 35
  • 13
  • 9
  • +4
72 Comments
 
LVL 3

Expert Comment

by:KenTankrus
Comment Utility
It could very well be a corrupt user profile or a bad network connection. If you can login with different credentials and it's quick, you can rule out the bad network connection.
0
 

Author Comment

by:HospiceChesapeake
Comment Utility
It happens for all users. As for as 'bad network connection', again, it happens on all workstations/laptops... so it seems to be some settings / network somewhere.
0
 
LVL 3

Expert Comment

by:KenTankrus
Comment Utility
You may be able to resolve this by changing out the Ethernet cable. If this doesn't work, you may have to test the connectivity from the wall at the computer to the server.
0
 
LVL 14

Expert Comment

by:BigBadWolf_000
Comment Utility
Its a DNS issue..make sure your DHCP server is providing the 1st DNS server as you domain controllers IP
0
 

Author Comment

by:HospiceChesapeake
Comment Utility
We use our Firewall as our DHCP and the 1st DNS server is our local DC (this is how all of our sites are setup)
0
 
LVL 14

Expert Comment

by:BigBadWolf_000
Comment Utility
confirm on PC that IPCONFIG /ALL shows the 1st DNS server as your DC
Also do a IPCONFIG /flushdns
0
 

Author Comment

by:HospiceChesapeake
Comment Utility
Confirmed and done.

Also, mind, you, this isn't segregated to just my machine, it's organization-wide.
0
 
LVL 1

Expert Comment

by:nrg2go
Comment Utility
I think the question here is what happens behind the scene when you press ctrl+alt+del.  As far as I know all that happens is that the logon screen loads. If I understand your question correctly, you aren't even past the logon screen yet, correct?  

When you look at your logon options, how many domains display?  Are they all valid active and trusted domains?

I would consider the following:
Is it slow because services are still loading in the background?
Is it slow because there is a bogus domain listed as one of the potential logon domains?
Is it slow because a group policy is applying a computer policy to the PC?

What happens if you disconnect the PC from the network and try ctrl+alt+del?


Just a few ideas here - hope one helps.
0
 
LVL 14

Expert Comment

by:BigBadWolf_000
Comment Utility
yes I understand ...just wanted to make sure :)

ok check to see if a GPO is enabled, make sure to
disable “Always wait for network at computer startup and logon” under Computer Configuration/Administrative Templates/System/Logon.

If thats not the issue...
update the network driver to the latest version (windows 7 certified driver).

0
 
LVL 14

Expert Comment

by:BigBadWolf_000
Comment Utility
Along nrg2go: recommendation also...remove one of the PCs from the domain....how does Alt+Ctrl+Del respond?
0
 
LVL 1

Expert Comment

by:nrg2go
Comment Utility
Just boot to safe mode without network support and see what happens.  This will eliminate any network component and and driver related issue.
0
 

Author Comment

by:HospiceChesapeake
Comment Utility
I actually do have that GPO disabled BigBadWolf.

I have tested with a PC removed and it's instantaneous when I CTRL+ALT+Delete - no delay at all. Which is what tells me it's something to do with the network.

All the drivers are 100% up to date.

We only have 1 domain listed - we don't have any more than 1 domain period.

If I simply disconnect the PC from the network, the CTRL+ALT+DEL is fast...
0
 
LVL 1

Expert Comment

by:nrg2go
Comment Utility
I assume the event log is of no help.  Need to setup boot debugging to troubleshoot.  This article should get you started - http://support.microsoft.com/kb/833721
0
 
LVL 14

Expert Comment

by:BigBadWolf_000
Comment Utility
How many users ...what switch are you using, make model?
If one switch unmanaged try restarting the switch
0
 
LVL 14

Expert Comment

by:BigBadWolf_000
Comment Utility
Check server event logs for any DNS or other errors
0
 

Author Comment

by:HospiceChesapeake
Comment Utility
We have anywhere from 20-50 users at any given time at this particular location (our businesses location by far)

Now, I'm not entirely sure if it's just 'this office'. We have 5 other locations and I do believe they have the same issue so it seems to be a global thing, not a segregated issue.
0
 

Author Comment

by:HospiceChesapeake
Comment Utility
BigBadWolf, you mean on the actual domain controller/dns server itself?
0
 
LVL 14

Expert Comment

by:BigBadWolf_000
Comment Utility
Yes
0
 
LVL 14

Expert Comment

by:BigBadWolf_000
Comment Utility
Is your DNS servering forwarding to your ISPs DNS
Is there only one DC at your location?
Are all the DCs on the same domain? If yes you are setup as sites (I am assuming all Windows 2008 DCs)
Which DC has all master role (would most likely be 1st DC setup in the org)
0
 

Author Comment

by:HospiceChesapeake
Comment Utility
We use OpenDNS rather than our providers DNS because of what OpenDNS offers.

We have only one DC/DNS server at each location, except our Datacenter, which no one authenticates to anyways.

They are all on the same domain - we have only one domain. Each site has it's own site name and everything exists within that site.

The primary DC is at our Datacenter so its not one that anyone would authenticate to at a local office.
0
 
LVL 14

Expert Comment

by:BigBadWolf_000
Comment Utility
On your local DC nic config what IPs are for primary and secondary DNS servers?
I am assiuming all sites care connected via site-2-site vpn or MPLS/etc, different IP subnet for eact site
0
 

Author Comment

by:HospiceChesapeake
Comment Utility
Each DC is setup so the first Primary DNS is the local for that server, 127.0.0.1 and the primary DNS for the entire domain as the secondary DNS.

Each site has a different IP range... for example this site is 192.168.10.x and another site is 192.168.11.x, so on and so forth. We're connected via VPN tunneling.
0
 
LVL 14

Expert Comment

by:BigBadWolf_000
Comment Utility
Try changing the 1st DNS on your local DC to its IP address instead of 127.0.0.1
That is a MS recommendation if only 1 DC on the site, yeay 127.0.0.1 is supposed to work too, but MS will suggest you use the machine's IP address

If two DCs then 1st DNS should be second DCs IP
and 2nd DNS should be same DCs IP
0
 

Author Comment

by:HospiceChesapeake
Comment Utility
So you're saying since I have only 1 IP, I use the local loopback (127.0.0.1) for DNS #1 and the actual IP of the same server for the secondary dns?
0
 

Author Comment

by:HospiceChesapeake
Comment Utility
I just made that change, setting both the primary and secondary IP to point to the same server and i'm not sure how fast I should see the change, but it didn't seem to make an immediate difference to say the least...
0
 

Author Comment

by:HospiceChesapeake
Comment Utility
Actually I think I may have become confused.

So, on the DC, it should be Primary DNS the actual IP address. And leave the secondary DNS empty?

What about the DHCP server? Obviously the Primary DNS on that should point to the local dc, but what about the secondary? Should it still point to the other DC as a failsafe?
0
 

Author Comment

by:HospiceChesapeake
Comment Utility
As a test, I made only the local DC the primary DNS and left the secondary blank, so it only would hit the local DC... and that made no difference :(
0
 
LVL 3

Expert Comment

by:KenTankrus
Comment Utility
Have you added anything new to the network? Is the whole network running slow or is it just logon? One thing I had a while back ago was someone added an extra cable from a server already plugged into the network creating a loop. It caused much havoc on the network.
0
 

Author Comment

by:HospiceChesapeake
Comment Utility
Hmm you know, we'll have our up and down moments. We have a Datacenter that we connect to and some days it seems like files open and save fast and some days it's slow. But, it could be because we're on FiOS at this particular location.

There's definitely something not right with the network and pin pointing it is going to be a disaster, I feel it... =\
0
 
LVL 1

Expert Comment

by:nrg2go
Comment Utility
You mentioned that you "do have that GPO disabled", what GPO were you referring to?
0
 

Author Comment

by:HospiceChesapeake
Comment Utility
In our primary DOMAIN Group Policy, we have disabled “Always wait for network at computer startup and logon” under Computer Configuration/Administrative Templates/System/Logon."

This has made no difference.
0
 
LVL 1

Expert Comment

by:nrg2go
Comment Utility
Do you have any start-up logon scripts under the Computer section of any of your GPOs?  The two last things that take place before you press Ctrl-Alt-Del are Apply Computer GPOs then run startup scripts.  I wonder if any scripts are still running.  Again, I would setup debugging to better identify what is happening - probably the first thing Microsoft would ask you to do to start troubleshooting.  Also, Microsoft specifically told me about a month ago that they now recommend 127.0.0.1 instead of using the DNS server's own IP address.  Just throwing that out there.  Their logic was less chance of a problem if you were to ever change IP addresses of the DNS server. Made logical sense to me.
0
 

Author Comment

by:HospiceChesapeake
Comment Utility
We use Desktop Authority ScriptLogic as our startup script; however, I believe this run's 'after' the login has been initiated. I don't believe we have anything in the GPO itself for startup.

I'm now confused on the DNS server. On the server itself, the Primary should be 127.0.0.1 and the secondary should be what... the same IP? an IP of another DC? what?
0
 
LVL 1

Expert Comment

by:nrg2go
Comment Utility
Not sure I would understand any reason to put the same server as a secondary.  Do you have a second DNS server in your site or anywhere on your domain you can use?  

The Computer Configuration settings get applied before you ever log onto your PC.  Can you temporarily disable Desktop Authority to test?
0
 

Author Comment

by:HospiceChesapeake
Comment Utility
Ok, I'll make the secondary another DNS server that we have.

I believe I can totally disable Desktop Authority for myself, so I'll do that and see if that makes any difference but I won't know until tomorrow when I'm back in the office.
0
 
LVL 1

Expert Comment

by:nrg2go
Comment Utility
Keep in mind td tohat since you have disabled  “Always wait for network at computer startup and logon”, any changes to Group Policy won't be noticed until the second time you logon.  With that disabled, the OS uses cached GPO settings from the last logon session.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:HospiceChesapeake
Comment Utility
Can't I do a gpupdate /force? Right now I'm on a VPN... also, Desktop Authority pushes out updates instantly.
0
 

Author Comment

by:HospiceChesapeake
Comment Utility
Also that GPO change, was made last week... so it definitely has had time to replicate.
0
 
LVL 1

Expert Comment

by:nrg2go
Comment Utility
Not sure what change you are referring to, but even if you do a gpupdate /force after removing your PC from Desktop Authority, you will be prompted to reboot for all GPOs to apply, do perform this reboot. Remember, the only GPOs we are concerned about are ones which apply to your computer, not to you as a user, so make certain your PC is removed from Desktop Authority.  Well, I am off to drinking wine and watching college basketball.  Good luck and go Buckeyes.
0
 

Author Comment

by:HospiceChesapeake
Comment Utility
What I was referring to was removing the script that starts Desktop Authority on my computer upon boot. This is found in AD Users/Computers in the Profile tab - thats the only way to fully remove ones self from Desktop Authority. So, if that doesn't do it... it's something else.
0
 
LVL 14

Expert Comment

by:BigBadWolf_000
Comment Utility
To clear up the DNS condusion...

Say your local DC IP is 192.168.1.12

In the DC's nic config the first DNS should be 192.168.1.12
The second DNS can be any of the other site DC IPs 192.168.2.xx

In your DHCP the first DNS should be 192.168.1.12

Note: It depends on who you talk to in MS. I worked with their senior engs on the DNS in relation to pure 2008 ADDS and they adviced me on not to use the 127.0.0.1 eventhough it shoiuld work with that config.

0
 

Author Comment

by:HospiceChesapeake
Comment Utility
Well, it's looking like we can rule DNS out at this rate anyways... nothing I seem to try DNS related is making a difference. Tomorrow we'll see if Desktop Authority plays a role. If it does, then I'm just screwed because we can't get rid of it.. if it's not the problem, then I'm still in the dark.
0
 

Author Comment

by:HospiceChesapeake
Comment Utility
It just dawned on me that Desktop Authority is 100% user based... so it really shouldn't make any difference with this issue because I could be on any computer, trying any other user, you know?

I'll rule it out tomorrow for sure, but it just doesn't sound like it's going to make a big difference, but you never know...
0
 

Author Comment

by:HospiceChesapeake
Comment Utility
Ok so I tested with Desktop Authority disabled for my username (because you can't disable it per computer) and I did notice it was slightly faster from a cold boot to do the Ctrl+Alt+del HOWEVER, I then locked the computer and did a Ctrl+Alt+Del and it still took forever - so I'm going to guess it's probably not Desktop Authority....
0
 
LVL 8

Expert Comment

by:dosdet2
Comment Utility
Are you using roaming profiles?  If so, here are some things to check:  (if not, ignore these)

Too much user profile data:
In Windows Explorer, R-click and check the properties on the folder \Documents & Settings\UserName
Note the size of the folder (in mb or gb) - If you are using vista or win7 you will also need to check \Users\UserName  
If the total of these folders is over 2gb, then that could cause slow loading.  Sometimes users will install itunes or something else that put a lot of data under these folders and roaming profiles has to synchronize all this data with what is in the server profile folder.  

There may also be a lot of Temp & temporary internet files (usually skipped but not always) that it syncs.  Also recent files folder does not clean up itself.  If you find a lot of space used, you may have to find where it is. - Also if you use Outlook, there could very large .ost and .pst files there that are constantly being transferred to the server profile.  You can move then to another server or local location.


Test for a corrupted profile:
Login as a given user.  Make sure that the that user is not logged in anywhere else.
Browse to the server & folder where the roaming profile is located.  Rename the folder for the profile assigned to the given user  ie: ProfileFolder.bad.  
Create another folder with the with the same name as the original folder.
Back at the workstation, log out of the domain normally.  It will take a while to rebuild the profile.
Log back in and test the for the lag.

Roaming profiles need maintenance to keep them efficient, either by admins or user practices.  In different forums I read that many techs do not use them because of this & other troubles.  For us, the convenience outweighs the cost of maintenance.  
My 2¢ worth


0
 

Author Comment

by:HospiceChesapeake
Comment Utility
We don't use roaming at all.
0
 
LVL 14

Expert Comment

by:BigBadWolf_000
Comment Utility
Do you map network drives? If yes, remove all mapings, disable any login scripts, restart and try, post results

Also (just a wild shot),
If you have hibernation enabled on the PC, try disabling it.
set the hard disk to never power down and standby to never happen.
0
 
LVL 14

Expert Comment

by:BigBadWolf_000
Comment Utility
0
 

Author Comment

by:HospiceChesapeake
Comment Utility
The mapped drives are done after the login occurs, through Desktop Authority. That shouldn't account for the long Ctrl+Alt+Del. Especially when the computer is merely locked.
0
 
LVL 3

Expert Comment

by:KenTankrus
Comment Utility
Desktop Authority will keep the settings on the computer, you may have to login to a computer (as a test) and remove DA completely, then undo the settings it's already changed. Did you upgrade to a newer DA recently? I've noticed especially with the windows 7 users it was particularly slow, and especially login. I had to go in to each machine to undo most of what it had done to those machines.
0
 

Author Comment

by:HospiceChesapeake
Comment Utility
The problem is, we cannot remove DA as it's an integral part of our organization. However, I don't mind trying to uninstall it completely just to see if that's the root cause.

I know that Desktop Authority has 8.1 update out. We're still on 8.04 so I've been wondering if updating would help anything out.

But I guess we'll see if its even DA after I test.
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
is right click slow, and possibly the start button.

I am thinking this could be a context menu handler or an app trying to run from a remote location that doesn't exist.

Are there any other symptomps, Like:
the Start Task Manager context-menu link on the Taskbar is greyed out and Start Task Manager is no longer an option when Ctrl+Alt+Del is pressed.
0
 

Author Comment

by:HospiceChesapeake
Comment Utility
Nope, none of those issues appear present.
0
 
LVL 3

Expert Comment

by:KenTankrus
Comment Utility
Did removing DA from your test computer help?
0
 
LVL 1

Expert Comment

by:nrg2go
Comment Utility
On 03/01/11 04:07 PM, I had asked that he disable DA to test.  If you can't remove or disable it for the computer settings, then at least call DA support and ask if they have seen your issue before.  They have a forum which the question could be asked of others, you just need to have a valid license to access it.  In other words, rule out DA before looking any further please.
0
 

Author Comment

by:HospiceChesapeake
Comment Utility
I apologize - I meant to uninstall DA altogether on this machine today but had absolutely no opportunity to do so. I will set myself a reminder tomorrow to do so.

With the DA services removed from my machine completely - this should satisfy the test.

In fact - so I won't forget, I'll go ahead and uninstall now, that way first thing in the morning (which is where I always complain the most cause of the first logon taking forever) this will be a good indicator ... ruling out DA immediately.
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
Let's check a couple things:

Check out this key and see what it's set to, locally:
System Key: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
Value Name: DisableCAD
Data Type: REG_DWORD (DWORD Value)
Value Data: (0 = Require Ctrl+Alt+Delete, 1 = Disable)

Also check out the welcome screen for fast user switching. In your case, you want the welcome screen.

http://support.microsoft.com/kb/281980

How many users are effected??

0
 

Author Comment

by:HospiceChesapeake
Comment Utility
Ok - I tried deleting Desktop Authority altogether... made no difference at all.
0
 

Author Comment

by:HospiceChesapeake
Comment Utility
@ChiefIT

DisableCAD currently = 0 (which I assume we want for security reasons)

As for Fast User Switching, the article you lead me to doesn't seem to apply to Windows 7. I did find that within the GPO is something called "Hide entry points for Fast User Switching" which is what they refer to as enabling/disabling it I suppose.

Currently, we have the ability to "switch user" turned on (well, the policy is actually not configured) so that we can switch user over to an admin account as needed.
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
While looking for the correct reg key, I did see an article about a WIN7 computer that the welcome screen for thirty seconds, (by design). It's stems from having a SINGLE color background on the desktop. Let's see if I can find it again.

YES: here it is:

http://support.microsoft.com/kb/977346
0
 

Author Comment

by:HospiceChesapeake
Comment Utility
Actually we can already rule this out because a.) it's not the delay 'after' logging in that's the problem, it's the control+alt+delete and then waiting for Username/Password to show up that is the problem. And, B.) we actually use Themes, so we don't have a solid background.

Thanks for the tip though - this could explain some delays on our servers though...
0
 

Author Comment

by:HospiceChesapeake
Comment Utility
To me, this totally seems like a 'network' related issue for some reason.

Almost like it's going out to find something ... maybe it's pulling GPO information, or DC information, IDK but it's not just me, it's a wide scale issue so it's definitely not a segregated issue.
0
 
LVL 8

Expert Comment

by:dosdet2
Comment Utility
Here is a shot in the dark.

Open Windows Explorer, Alt to open the top menu, Tools, View tab, under advanced settings - un-check the option "Automatically search for network folders and printers" and see if that makes a difference.

Another thought, do you have any NAS drives mapped to the workstations?  If so, try disconnecting the NAS drive and do a shut-down, then see if things get faster.

One more idea, run MSconfig and stop all programs from loading on boot, If the problem goes away- add them back in - one at a time until the lag returns.  It might give you more clues on where to look.  Please forgive me if you have already tried these.  Just trying to cover all bases.
:-)
0
 
LVL 8

Expert Comment

by:dosdet2
Comment Utility
I had another thought, check in the \Windows\tasks folder and see if there are any tasks that are set to run on boot-up.
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
If it were a network related issue, the slowness would come when logging in, (as in the case of the solid color desktop). I have seen it too many times before where after the splash screen that loads the third party drivers, you get (opening network connection). ..

Maybe a verbose logon could help you troubleshoot what the hang is.

1. Open regedit and goto:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Policies\System

2. In right-side pane create/modify DWORD value VerboseStatus and set its value to:

0 - To Disable Verbose Status Message
1 - To Enable Verbose Status Message

----------------------------------------------

To me, this sounds like the CTRL ALT DEL Context menu handler. A context menu handler for right click brings up a menu that allows you to copy/paste etc... The context menu handler for CTRL ALT DEL should bring up the logon screen. Sometimes these Context menu handlers get hosed by third party software.

0
 

Author Comment

by:HospiceChesapeake
Comment Utility
@dosdet2 - I cannot seem to locate the Automatically search for network folder and printers in Windows 7 where you described it to be.

We have no NAS drives installed at all on these laptops / desktops.

I'll give the MSConfig a try - but again, I'm thinking it's network related. Also, I checked and there are no scheduled tasks.

I did have a thought that maybe everyone can look at... we use a 'custom' User profile picture. Could THIS be causing the slow down? What if I disable this custom picture and see what happens??
0
 
LVL 8

Expert Comment

by:dosdet2
Comment Utility
At this point anything is worth a try if just to gain further clues or eliminate a possibility.  

What I was thinking about in the MSconfig was a third party program loading an "updater' module that was trying to downloading updates.   Or maybe an anti-virus checker or similar program that has central management.

0
 

Author Comment

by:HospiceChesapeake
Comment Utility
Let me elaborate a bit.

The GPO is Computer Config. > Admin Templates > Control Panel, User Accounts and "Apply the default user logon picture to all users" we have this enabled to show our company logo.

It's a relatively small file, so I really don't see why this would be any impact. But, I suppose I could try turning it off and see what happens... right?
0
 
LVL 8

Expert Comment

by:dosdet2
Comment Utility
The Automatically search function was from XP as I don't have a Win7 station handy.  I hoped it would be in a similar place.
0
 

Accepted Solution

by:
HospiceChesapeake earned 0 total points
Comment Utility
I discovered the problem was Desktop Authority Password Self-service. It's a tool we use for users to reset their own password and unlock their own account and they've since fixed the issue in a newer version.

Thanks all for the help!
0
 

Author Closing Comment

by:HospiceChesapeake
Comment Utility
Discovered the reason for this problem on my own by chance - happened to be upgrading that particular piece of software and vuala, problem was resolved.
0
 

Expert Comment

by:ExecTech24
Comment Utility
Hospice, this software .. it didn't happen to be SpecOps Password Client was it?
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Resolve DNS query failed errors for Exchange
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
This Micro Tutorial will give you a basic overview of Windows Live Photo Gallery and show you various editing filters and touches to photos you can apply. This will be demonstrated using Windows Live Photo Gallery on Windows 7 operating system.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now