Computers take a long time to login to domain

We have an Active Directory domain with 2 Domain Controllers (DC1 and DC2) running on Windows Server 2008 R2 SP1 and approximately 200 Windows XP SP3 computers (Mix of Desktops and Laptops). We have been having issues with long login times (Typically 3-5 Minutes) while logging into the domain.

When you type in your username and password to login to the domain and press OK, the login box stays up for approximately 15-20 seconds before switching to "Applying Settings" where it sits for approximately 1.5-2 minutes, then to "Applying Personal Settings" for another 30 seconds - 1 minute. Then another 30 seconds - 1 minute or so before the background and icons show up.

We are distributing policies from the Domain Controller via Group Policy for drive mappings, printers, and folder redirection, as well as some other misc settings.

I did some searching before posting this and have already checked the suggestion to make sure that the XP workstation's DNS is pointing to the local DC and not my ISP (It was already configured this way), and the DNS server is pointing to itself for DNS (as recommended).

I have also tried the suggestion to Enable the group policy for the synchronous network login, that did not help.

I have also run gpresult /z on the computer (But I dont really know what that is supposed to be telling me other than the policies in effect on the system)

For a little more information .... When booting the system if I wait 15-20 minutes before logging in, the computer logs in significantly faster but still not as fast as it should and once I am logged in, if I log off and then login again the computer will login within 20 seconds.

LVL 4
Grasty86Asked:
Who is Participating?
 
Grasty86Author Commented:
Apparently no one has the solution, we are now moving on to Windows 7 so this XP question is no longer valid.
0
 
p_nutsCommented:
Ok a couple of things ..

Are you using GPO? Are you using roaming profiles?
Does it happen with all users.

How are the machines build sp1 and then sp2 and sp3?

I've found the installation of all updates and sp's makes it slower. Also if you logoff and don't have the user hyve cleanup service running the profile stays in memory  and thus relogin is like starting from hibernation.  
0
 
Grasty86Author Commented:
Yes we are using GPO, no roaming profiles

Yes this happens with all users. Server 2008 R2 is at SP1 (Was updated last week but the issue has been happening for at least 5 months). the workstations are at XP Pro SP3.
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

 
p_nutsCommented:
The bulk  of the time is applying settings which means the GPO's are loading. See if you have gpo's that have too much settings and if there aren't a lot of ADM files that aren't used ..

Also try to find how many GPO's are active...
do an rsop.msc to see what is active
 
0
 
Grasty86Author Commented:
Run rsop.msc on the DC or the Workstation?
0
 
Grasty86Author Commented:
After running rsop.msc I found that there are some settings being set that arent in my Group Policy. For example, there is a policy in here from the "Local Group Policy" that is point my Windows Updates to my WSUS server, but I dont remember ever configuring that. Forgive my ignorance, but where do I see the settings that are being sent to this computer using Local Group Policy?
0
 
p_nutsCommented:
Ok. On the client run rsop.msc.

Each setting should show the GPO that is inforcing the setting.
0
 
Grasty86Author Commented:
As I said, I ran it on the client and there are a bunch of settings which are coming from "Local Group Policy". I dont remember ever setting these and I am not sure where they are coming from. There are settings for BITS in there as well as settings to point Windows Update to our WSUS Server, but none of our group policies have those settings on them. So I dont know where these Local Group Policies are coming from. Any Clues?
0
 
p_nutsCommented:
Check ad if there is a policy with that name
0
 
p_nutsCommented:
Also in rsop

Right click computer settings and choose properties.

there you should find all policies and you can check the box to show the source
0
 
Grasty86Author Commented:
That still doesnt tell me where this policy is coming from. As I have said already, there is no GPO named Local Group Policy and in rsop.msc it says its scope of management is "Local"

 rsop Computer Config Properties
0
 
Grasty86Author Commented:
Also, here is my latest gpresult /z ..... maybe someone can tell me if they see something wrong in here. gpresult10.txt
0
 
p_nutsCommented:
Not at a glance but check the sizes.. You might want to remove the ADM files that aren't used.
0
 
concealwpn1Commented:
Are you using any WMI Filters on your GPOs that use the Win32_Product class? The use of this WMI class in a WMI filter can lead to significant delays in GPO processing depending on the number and complexity of MSI packages installed. The Win32reg_AddRemovePrograms is a more enumeration efficient class to use in GPO WMI filter strings.

http://support.microsoft.com/kb/974524
http://sdmsoftware.com/blog/2010/04/11/why-win32_product-is-bad-news/
0
 
Grasty86Author Commented:
I don't believe we are using wmi filters at all.
0
 
Grasty86Author Commented:
here is some new information

We found that our User Config was being applied twice because of the way we were linking our group policies. Our user config happened to contain all the drive mappings, printers, etc. so it was a decent sized policy and everything was being applied twice.

So, we split our policy into two. We put all the user config items into LV User Policies, and all the Workstation config items into LC Workstation Policies. Then we linked User Policy to the Users OU and Workstation Policy to the Workstation OU. This made the login about 10 seconds faster ... but it still takes around 3-4 minutes to login.

So, I decided to figure out which policy is taking the longest to run. So, I removed all of the policies from an OU that I am using to Test (Using the Block Inheritance feature). The computer still takes 2 minutes to login (about 30 seconds faster than before). So that tells me that my policies are only taking 20-30 seconds to run, but something else is making the login take an additional 2 minutes.

Any ideas?
0
 
Grasty86Author Commented:
Problem was not solved
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.