Robert Mohr
asked on
Black Logon Screen
When users log onto their Windows 7 computer, they enter their credentials and then are taken to a black screen for about 5 to 8 minutes, the logon script runs (sometimes very slowly) and then their desktop shows.
I think this might be domain controller related.
Where do I go from here?
I think this might be domain controller related.
Where do I go from here?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I ran GPRESULT /R on a Windows 7 64-bit machine that took forever to get past the black screen. One interesting thing is that Domain Type says Windows 2000. End of last year we went from a 2000 Server Domain Controller to 2008 R2 Domain Controller. I believe that should read Domain Type: Windows 2008 or later.
I've listed the results below. Any thoughts on next steps? I'm not seeing anything here.
--
I've listed the results below. Any thoughts on next steps? I'm not seeing anything here.
--
--
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\me.ourdomainname>gpresult /r
Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001
Created On 3/3/2014 at 3:03:55 PM
RSOP data for ourdomainname\me on me-PC : Logging Mode
-----------------------------------------------------------------------
OS Configuration: Member Workstation
OS Version: 6.1.7601
Site Name: Default-First-Site-Name
Roaming Profile: N/A
Local Profile: C:\Users\me.ourdomainname
Connected over a slow link?: No
COMPUTER SETTINGS
------------------
CN=me-PC,CN=Computers,DC=ourdomainname,DC=com
Last time Group Policy was applied: 3/3/2014 at 3:02:47 PM
Group Policy was applied from: secondDC.ourdomainname.com
Group Policy slow link threshold: 500 kbps
Domain Name: ourdomainname
Domain Type: Windows 2000
Applied Group Policy Objects
-----------------------------
Default Domain Policy
SUS Client Policy
Virtual session drive mapping
Virtual session logon
Default Domain Controllers Policy
kms
New Group Policy Object
Time Server
The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Allow log on through Terminal Services
Filtering: Disabled (GPO)
ActiveX IE Client Policy
Filtering: Not Applied (Empty)
Local Group Policy
Filtering: Not Applied (Empty)
W32tm
Filtering: Disabled (GPO)
The computer is a part of the following security groups
-------------------------------------------------------
BUILTIN\Administrators
Everyone
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
This Organization
me-PC$
Domain Computers
System Mandatory Level
USER SETTINGS
--------------
CN=melastname\, mefirstname,OU=alocation,DC=ourdomainname,DC=com
Last time Group Policy was applied: 3/3/2014 at 2:41:54 PM
Group Policy was applied from: secondDC.ourdomainname.com
Group Policy slow link threshold: 500 kbps
Domain Name: ourdomainname
Domain Type: Windows 2000
Applied Group Policy Objects
-----------------------------
Default Domain Policy
SUS Client Policy
ActiveX IE Client Policy
Virtual session logon
New Group Policy Object
The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Allow log on through Terminal Services
Filtering: Disabled (GPO)
Default Domain Controllers Policy
Filtering: Not Applied (Empty)
Time Server
Filtering: Not Applied (Empty)
Local Group Policy
Filtering: Not Applied (Empty)
kms
Filtering: Not Applied (Empty)
Virtual session drive mapping
Filtering: Not Applied (Empty)
W32tm
Filtering: Disabled (GPO)
The user is a part of the following security groups
---------------------------------------------------
Domain Users
Everyone
PRM Users Group
BUILTIN\Administrators
BUILTIN\Users
NT AUTHORITY\INTERACTIVE
CONSOLE LOGON
NT AUTHORITY\Authenticated Users
This Organization
LOCAL
Document Management
2010Professional
Domain Admins
Denied RODC Password Replication Group
RAS and IAS Servers
High Mandatory Level
C:\Users\me.ourdomainname>^A
Don't worry too much about the domain type, as the schema can be Windows 2000 type on a 2008 domain controller, it just keep backward compatibility.
The user GPOs then are:
Default Domain Policy
SUS Client Policy
ActiveX IE Client Policy
Virtual session logon
New Group Policy Object
so you need to run Group Policy Management on the server and find those GPOs and see exactly what they are doing.
Did you also check if the user has a login script too in the normal AD user tool?
The user GPOs then are:
Default Domain Policy
SUS Client Policy
ActiveX IE Client Policy
Virtual session logon
New Group Policy Object
so you need to run Group Policy Management on the server and find those GPOs and see exactly what they are doing.
Did you also check if the user has a login script too in the normal AD user tool?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
also check these...
1. you have any folder redirection configured?
2. software deployment policy ?
1. you have any folder redirection configured?
2. software deployment policy ?
ASKER
The scripts are drive mappings. I've checked.
I went ahead and based on recommendations in the Group Policy labeled Virtual Session Logon disabled Run Startup Scripts Synchronously.
Still get a black screen but it is only up for about 3 minutes. Perhaps it helped.
There is no folder redirection configured and no software deployment policy.
What next? Any other commands I can run to see what is going on during this black screen period?
I went ahead and based on recommendations in the Group Policy labeled Virtual Session Logon disabled Run Startup Scripts Synchronously.
Still get a black screen but it is only up for about 3 minutes. Perhaps it helped.
There is no folder redirection configured and no software deployment policy.
What next? Any other commands I can run to see what is going on during this black screen period?
Run your login scripts in a command prompt window to see what they are doing. It should function pretty similar how it's running before login. If it runs faster when you run it while fully logged in, it most likely is taking your computers longer than usual to get fully connected to the network and the script is failing to execute properly before the network is connected and continues to try. May also help if you post the login script (Remove proprietary info)
Also check the user's desktop and see how much is there.
Also check My Documents and see how much is there.
If too much data in those places the login could be slow as the server and workstation synchronize.
Also check My Documents and see how much is there.
If too much data in those places the login could be slow as the server and workstation synchronize.
ASKER
Desktop and My documents are fine. No issues or too much data.
If the info script info below doesn't help then perhaps we should start talking about our Domain Controller and Secondary Replicated Domain Controller. Maybe we've set that up wrong?
Below is the script and then the results of the script.
======
Here is the actual script that runs at login and is also referenced in the users Active Directory Profile tab
If the info script info below doesn't help then perhaps we should start talking about our Domain Controller and Secondary Replicated Domain Controller. Maybe we've set that up wrong?
Below is the script and then the results of the script.
======
Here is the actual script that runs at login and is also referenced in the users Active Directory Profile tab
--
@echo off
echo ***%LOGONSERVER%***
echo ***Mappings***
net use g: "\\adminusw1\data db contract billing" /yes
net use h: "\\adminusw1\data contracting" /yes
net use j: "\\adminusw1\data admin operations" /yes
net use k: "\\adminv2\data executive" /yes
net use l: "\\adminusw1\data billing" /yes
net use m: "\\adminusw1\install" /yes
net use n: "\\adminusw1\data corporate forms and lists" /yes
net use o: "\\adminusw1\data marketing" /yes
net use p: /delete
net use p: /home /P:yes
net use q: "\\filev\AP Files" /yes
net use r: "\\adminusw1\LaGrange" /yes
net use s: "\\adminusw1\Park Ridge" /yes
net use t: "\\fileusw\Harvey" /yes
net use u: "\\adminv2\Credentialing" /yes
net use z: "\\sqlv\Analyzer" /yes
===========
Here is the results of the login script when I run it from a command prompt
----
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\meuser.domain>login.bat
***\\adminv1***
***Mappings***
System error 85 has occurred.
The local device name is already in use.
System error 85 has occurred.
The local device name is already in use.
System error 85 has occurred.
The local device name is already in use.
System error 85 has occurred.
The local device name is already in use.
System error 85 has occurred.
The local device name is already in use.
System error 85 has occurred.
The local device name is already in use.
System error 85 has occurred.
The local device name is already in use.
System error 85 has occurred.
The local device name is already in use.
p: was deleted successfully.
Drive p: is now connected to \\adminv1\users. Your home directory is p:\meuser.
System error 85 has occurred.
The local device name is already in use.
System error 85 has occurred.
The local device name is already in use.
System error 85 has occurred.
The local device name is already in use.
System error 85 has occurred.
The local device name is already in use.
System error 85 has occurred.
The local device name is already in use.
System error 85 has occurred.
The local device name is already in use.
C:\Users\meuser.domain>
One thing to try at this point, since all your login script is doing is mapping drives, would be to use group police Preferences/Drive Maps rather than using a login script at all. The way I handle drive mappings, including the home directory is:
1. Set up a group policy with the Preferences/Drive Maps configured to do all drive mapping. You can even using the filtering capabilities to map different drives for different groups of users. If you want to try this and need some assistance, post back.
2. You don't need to map the home directory through a logon script. Set the home drive mapping in the users' Active Directory accounts on the Profile tab, under "Home folder."
I would urge you to try this and see if it helps the logon slowness. For one thing, doing this through group policy will allow the drive mappings to be done in the background during the logon process instead of slowing down the process to run a script.
1. Set up a group policy with the Preferences/Drive Maps configured to do all drive mapping. You can even using the filtering capabilities to map different drives for different groups of users. If you want to try this and need some assistance, post back.
2. You don't need to map the home directory through a logon script. Set the home drive mapping in the users' Active Directory accounts on the Profile tab, under "Home folder."
I would urge you to try this and see if it helps the logon slowness. For one thing, doing this through group policy will allow the drive mappings to be done in the background during the logon process instead of slowing down the process to run a script.
ASKER
I have gone into each one of our Group Policy Objects, Details, GPO Status and chosen All Settings Disabled. I've also removed the login script and drive mapping from the user profile in Active Directory.
Results
Login response time is still long after entering credentials
All my errors related to group policy in the event viewer have gone (at least that is resolved for the time being)
Any other suggestions to see why the screen is black for about 4-5 minutes before showing the desktop?
Results
Login response time is still long after entering credentials
All my errors related to group policy in the event viewer have gone (at least that is resolved for the time being)
Any other suggestions to see why the screen is black for about 4-5 minutes before showing the desktop?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Great recommendation although it didn't solve the issue. Running dcdiag and dcdiag /test:DNS did however uncover the wrong DNS address on our domain controller on the adapter properties. It was pointing to our old DC for DNS. We've updated that but black screens still persist.
NOTE - I have some VMs in my environment that do not have black screens. I've tried to figure out why some get black logon screens that lasts upwards of 5 minutes and some do not. Looking for inconsistencies between the two perhaps?
Any other thoughts?
NOTE - I have some VMs in my environment that do not have black screens. I've tried to figure out why some get black logon screens that lasts upwards of 5 minutes and some do not. Looking for inconsistencies between the two perhaps?
Any other thoughts?
Might sound silly, but I assume if you login as a local user it does login OK and quickly?
Wayne
Wayne
If you create a new user does that new user log on slow or fast?
ASKER
Wayne - The local user is quick with no issues.
Not sure on the new user piece yet. I'll have to create one and try logging in.
This issue is relegated to several users and not all.
Not sure on the new user piece yet. I'll have to create one and try logging in.
This issue is relegated to several users and not all.
>> This issue is relegated to several users and not all.
Can try creating a new profile for one of the affected users and moving all of their data across. Could be corrupt profile.
Can try creating a new profile for one of the affected users and moving all of their data across. Could be corrupt profile.
ASKER
Could be but don't know why we would have multiple corrupt profiles. Is there a way to tell if a profile is corrupt without re-doing?
None, that I know of.
Does the problem follow the user or is it localised to a specific set of computers, ie, if an affected user moves to another computer (where there are no problems) does the slowing down still occur?
And the reverse, if a non affected user move to a location where the problem occurs is that user affected?
Does the problem follow the user or is it localised to a specific set of computers, ie, if an affected user moves to another computer (where there are no problems) does the slowing down still occur?
And the reverse, if a non affected user move to a location where the problem occurs is that user affected?
ASKER
Here are two people and their scenarios -
ME
I log into my physical PC and the login time takes long time
I log into a virtual machine (vmware) and login time is quick
I log into a laptop and it takes a long time.
A User
A user Logs into a VM and it takes a long time
A user logs into a laptop and it takes a long time
Not sure if this is profile related. Profile related means I would have a profile follow/roaming profiles turned on which I don't. Users can log into any PC with their credentials but profile settings are not carried over from one machine to the next.
Is there a log that shows what is going on during those 5 mintues of black screen?
ME
I log into my physical PC and the login time takes long time
I log into a virtual machine (vmware) and login time is quick
I log into a laptop and it takes a long time.
A User
A user Logs into a VM and it takes a long time
A user logs into a laptop and it takes a long time
Not sure if this is profile related. Profile related means I would have a profile follow/roaming profiles turned on which I don't. Users can log into any PC with their credentials but profile settings are not carried over from one machine to the next.
Is there a log that shows what is going on during those 5 mintues of black screen?
How about any folder redirection?
Do you use DHCP to set workstation TCP/IP settings, or are they manual?
Are there any consistencies between the machines you're testing? That is, if you log in to the same VM that the user logs in to, does it take a long time or is it quick? As dbrunton said, we need to figure out if it follows the user from machine to machine, or if it is certain machines that are causing the issue.
Do you use DHCP to set workstation TCP/IP settings, or are they manual?
Are there any consistencies between the machines you're testing? That is, if you log in to the same VM that the user logs in to, does it take a long time or is it quick? As dbrunton said, we need to figure out if it follows the user from machine to machine, or if it is certain machines that are causing the issue.
ASKER
FINALLY! Figured it out.
We had a server with several mapped network drives that was not responding.
When users scripts would attempt to run it would hang on that servers shares because it couldn't connect.
We ended up killing the auditing software that was running on this server causing it to hang, reboot and all users lost their black screens because they could connect to the shares once again on that server.
All the above helped however uncover DNS issues in our environment along with Group Policy issues both of which were unrelated to the black screen!
We had a server with several mapped network drives that was not responding.
When users scripts would attempt to run it would hang on that servers shares because it couldn't connect.
We ended up killing the auditing software that was running on this server causing it to hang, reboot and all users lost their black screens because they could connect to the shares once again on that server.
All the above helped however uncover DNS issues in our environment along with Group Policy issues both of which were unrelated to the black screen!
Computer Configuration\Administrati
CAUTION: If this setting is Enabled and you don't know why, I would suggest that you find out first before changing it. There are some functions, like push software installation, that may require this setting to be Enabled to work properly.