Solved

Black Logon Screen

Posted on 2014-03-03
23
1,947 Views
Last Modified: 2014-03-09
When users log onto their Windows 7 computer, they enter their credentials and then are taken to a black screen for about 5 to 8 minutes, the logon script runs (sometimes very slowly) and then their desktop shows.

I think this might be domain controller related.

Where do I go from here?
0
Comment
Question by:Robert Mohr
  • 9
  • 4
  • 4
  • +3
23 Comments
 
LVL 10

Assisted Solution

by:WayneATaylor
WayneATaylor earned 167 total points
ID: 39901588
You need to check what user GPOs are set for the user.

Best way is once logged in run

GPRESULT /R from a command prompt

That should show what is being configured/run on login.  You might find there is an application that its trying to install or something

You will need to delve into the AD a bit but I would assume its something in there.

Also worth checking if there is a login script set for the user from the normal AD user properties.

Wayne
0
 
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 39901615
What is the login script doing?  It sounds to me as though something in that login script is not working properly, causing the logon process to be very slow.  Also, you might want to check the following group policy setting and disable it if it is set to Enabled:

Computer Configuration\Administrative Templates\Logon\Always wait for the network at computer startup and logon

CAUTION:  If this setting is Enabled and you don't know why, I would suggest that you find out first before changing it.  There are some functions, like push software installation, that may require this setting to be Enabled to work properly.
0
 

Author Comment

by:Robert Mohr
ID: 39901659
I ran GPRESULT /R on a Windows 7 64-bit machine that took forever to get past the black screen. One interesting thing is that Domain Type says Windows 2000. End of last year we went from a 2000 Server Domain Controller to 2008 R2 Domain Controller. I believe that should read Domain Type: Windows 2008 or later.

I've listed the results below. Any thoughts on next steps? I'm not seeing anything here.
--
--
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\me.ourdomainname>gpresult /r

Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 3/3/2014 at 3:03:55 PM


RSOP data for ourdomainname\me on me-PC : Logging Mode
-----------------------------------------------------------------------

OS Configuration:            Member Workstation
OS Version:                  6.1.7601
Site Name:                   Default-First-Site-Name
Roaming Profile:             N/A
Local Profile:               C:\Users\me.ourdomainname
Connected over a slow link?: No


COMPUTER SETTINGS
------------------
    CN=me-PC,CN=Computers,DC=ourdomainname,DC=com
    Last time Group Policy was applied: 3/3/2014 at 3:02:47 PM
    Group Policy was applied from:      secondDC.ourdomainname.com
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        ourdomainname
    Domain Type:                        Windows 2000

    Applied Group Policy Objects
    -----------------------------
        Default Domain Policy
        SUS Client Policy
        Virtual session drive mapping
        Virtual session logon
        Default Domain Controllers Policy
        kms
        New Group Policy Object
        Time Server

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Allow log on through Terminal Services
            Filtering:  Disabled (GPO)

        ActiveX IE Client Policy
            Filtering:  Not Applied (Empty)

        Local Group Policy
            Filtering:  Not Applied (Empty)

        W32tm
            Filtering:  Disabled (GPO)

    The computer is a part of the following security groups
    -------------------------------------------------------
        BUILTIN\Administrators
        Everyone
        BUILTIN\Users
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users
        This Organization
        me-PC$
        Domain Computers
        System Mandatory Level


USER SETTINGS
--------------
    CN=melastname\, mefirstname,OU=alocation,DC=ourdomainname,DC=com
    Last time Group Policy was applied: 3/3/2014 at 2:41:54 PM
    Group Policy was applied from:      secondDC.ourdomainname.com
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        ourdomainname
    Domain Type:                        Windows 2000

    Applied Group Policy Objects
    -----------------------------
        Default Domain Policy
        SUS Client Policy
        ActiveX IE Client Policy
        Virtual session logon
        New Group Policy Object

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Allow log on through Terminal Services
            Filtering:  Disabled (GPO)

        Default Domain Controllers Policy
            Filtering:  Not Applied (Empty)

        Time Server
            Filtering:  Not Applied (Empty)

        Local Group Policy
            Filtering:  Not Applied (Empty)

        kms
            Filtering:  Not Applied (Empty)

        Virtual session drive mapping
            Filtering:  Not Applied (Empty)

        W32tm
            Filtering:  Disabled (GPO)

    The user is a part of the following security groups
    ---------------------------------------------------
        Domain Users
        Everyone
        PRM Users Group
        BUILTIN\Administrators
        BUILTIN\Users
        NT AUTHORITY\INTERACTIVE
        CONSOLE LOGON
        NT AUTHORITY\Authenticated Users
        This Organization
        LOCAL
        Document Management
        2010Professional
        Domain Admins
        Denied RODC Password Replication Group
        RAS and IAS Servers
        High Mandatory Level

C:\Users\me.ourdomainname>^A

Open in new window

0
 
LVL 10

Expert Comment

by:WayneATaylor
ID: 39901681
Don't worry too much about the domain type, as the schema can  be Windows 2000 type on a 2008 domain controller, it just keep backward compatibility.

The user GPOs then are:
       Default Domain Policy
        SUS Client Policy
        ActiveX IE Client Policy
        Virtual session logon
        New Group Policy Object

so you need to run Group Policy Management on the server and find those GPOs and see exactly what they are doing.

Did you also check if the user has a login script too in the normal AD user tool?
0
 
LVL 38

Assisted Solution

by:Adam Brown
Adam Brown earned 167 total points
ID: 39901761
Check to see if the group policy
Computer Configuration\Administrative Templates\System\Logon\Run Startup Scripts Synchronously
is enabled. If it is, the computer must wait for all scripts to complete before it will display the desktop. Either disable that or set to not configured. Also consider enabling the opposing policy
Computer Configuration\Administrative Templates\System\Logon\Run Startup Scripts Asynchronously
to improve boot times for your users.
0
 
LVL 13

Expert Comment

by:Santosh Gupta
ID: 39901875
also check these...

1. you have any folder redirection configured?
2. software deployment policy ?
0
 

Author Comment

by:Robert Mohr
ID: 39901963
The scripts are drive mappings. I've checked.
I went ahead and based on recommendations in the Group Policy labeled Virtual Session Logon disabled Run Startup Scripts Synchronously.

Still get a black screen but it is only up for about 3 minutes. Perhaps it helped.

There is no folder redirection configured and no software deployment policy.

What next? Any other commands I can run to see what is going on during this black screen period?
0
 
LVL 38

Expert Comment

by:Adam Brown
ID: 39901974
Run your login scripts in a command prompt window to see what they are doing. It should function pretty similar how it's running before login. If it runs faster when you run it while fully logged in, it most likely is taking your computers longer than usual to get fully connected to the network and the script is failing to execute properly before the network is connected and continues to try. May also help if you post the login script (Remove proprietary info)
0
 
LVL 47

Expert Comment

by:dbrunton
ID: 39902126
Also check the user's desktop and see how much is there.  

Also check My Documents and see how much is there.

If too much data in those places the login could be slow as the server and workstation synchronize.
0
 

Author Comment

by:Robert Mohr
ID: 39902413
Desktop and My documents are fine. No issues or too much data.
If the info script info below doesn't help then perhaps we should start talking about our Domain Controller and Secondary Replicated Domain Controller. Maybe we've set that up wrong?

Below is the script and then the results of the script.
======
Here is the actual script that runs at login and is also referenced in the users Active Directory Profile tab
--
@echo off

echo ***%LOGONSERVER%***

echo ***Mappings***
net use g: "\\adminusw1\data db contract billing" /yes
net use h: "\\adminusw1\data contracting" /yes
net use j: "\\adminusw1\data admin operations" /yes
net use k: "\\adminv2\data executive" /yes
net use l: "\\adminusw1\data billing" /yes
net use m: "\\adminusw1\install" /yes
net use n: "\\adminusw1\data corporate forms and lists" /yes
net use o: "\\adminusw1\data marketing" /yes
net use p: /delete
net use p: /home /P:yes
net use q: "\\filev\AP Files" /yes
net use r: "\\adminusw1\LaGrange" /yes
net use s: "\\adminusw1\Park Ridge" /yes
net use t: "\\fileusw\Harvey" /yes
net use u: "\\adminv2\Credentialing" /yes
net use z: "\\sqlv\Analyzer" /yes

===========
Here is the results of the login script when I run it from a command prompt
----
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\meuser.domain>login.bat
***\\adminv1***
***Mappings***
System error 85 has occurred.

The local device name is already in use.

System error 85 has occurred.

The local device name is already in use.

System error 85 has occurred.

The local device name is already in use.

System error 85 has occurred.

The local device name is already in use.

System error 85 has occurred.

The local device name is already in use.

System error 85 has occurred.

The local device name is already in use.

System error 85 has occurred.

The local device name is already in use.

System error 85 has occurred.

The local device name is already in use.

p: was deleted successfully.

Drive p: is now connected to \\adminv1\users. Your home directory is p:\meuser.

System error 85 has occurred.

The local device name is already in use.

System error 85 has occurred.

The local device name is already in use.

System error 85 has occurred.

The local device name is already in use.

System error 85 has occurred.

The local device name is already in use.

System error 85 has occurred.

The local device name is already in use.

System error 85 has occurred.

The local device name is already in use.


C:\Users\meuser.domain>

Open in new window

0
 
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 39903348
One thing to try at this point, since all your login script is doing is mapping drives, would be to use group police Preferences/Drive Maps rather than using a login script at all.  The way I handle drive mappings, including the home directory is:

1.  Set up a group policy with the Preferences/Drive Maps configured to do all drive mapping.  You can even using the filtering capabilities to map different drives for different groups of users.  If you want to try this and need some assistance, post back.

2.  You don't need to map the home directory through a logon script. Set the home drive mapping in the users' Active Directory accounts on the Profile tab, under "Home folder."

I would urge you to try this and see if it helps the logon slowness.  For one thing, doing this through group policy will allow the drive mappings to be done in the background during the logon process instead of slowing down the process to run a script.
0
 

Author Comment

by:Robert Mohr
ID: 39903561
I have gone into each one of our Group Policy Objects, Details, GPO Status and chosen All Settings Disabled. I've also removed the login script and drive mapping from the user profile in Active Directory.

Results
Login response time is still long after entering credentials
All my errors related to group policy in the event viewer have gone (at least that is resolved for the time being)

Any other suggestions to see why the screen is black for about 4-5 minutes before showing the desktop?
0
 
LVL 38

Accepted Solution

by:
Hypercat (Deb) earned 166 total points
ID: 39903926
Now we might want to look at your domain controller and DNS setup to see if there's something there that might be causing slowness.  I think the place to start would be to run dcdiag and dcdiag /test:DNS to see if you find any problems there.  Post the results here if you need help with the analysis.
0
 

Author Comment

by:Robert Mohr
ID: 39904382
Great recommendation although it didn't solve the issue. Running dcdiag and dcdiag /test:DNS did however uncover the wrong DNS address on our domain controller on the adapter properties. It was pointing to our old DC for DNS. We've updated that but black screens still persist.

NOTE - I have some VMs in my environment that do not have black screens. I've tried to figure out why some get black logon screens that lasts upwards of 5 minutes and some do not.  Looking for inconsistencies between the two perhaps?

Any other thoughts?
0
 
LVL 10

Expert Comment

by:WayneATaylor
ID: 39904392
Might sound silly, but I assume if you login as a local user it does login OK and quickly?

Wayne
0
 
LVL 47

Expert Comment

by:dbrunton
ID: 39904405
If you create a new user does that new user log on slow or fast?
0
 

Author Comment

by:Robert Mohr
ID: 39904416
Wayne - The local user is quick with no issues.

Not sure on the new user piece yet. I'll have to create one and try logging in.

This issue is relegated to several users and not all.
0
 
LVL 47

Expert Comment

by:dbrunton
ID: 39904438
>>  This issue is relegated to several users and not all.

Can try creating a new profile for one of the affected users and moving all of their data across.  Could be corrupt profile.
0
 

Author Comment

by:Robert Mohr
ID: 39904472
Could be but don't know why we would have multiple corrupt profiles. Is there a way to tell if a profile is corrupt without re-doing?
0
 
LVL 47

Expert Comment

by:dbrunton
ID: 39904502
None, that I know of.

Does the problem follow the user or is it localised to a specific set of computers, ie, if an affected user moves to another computer (where there are no problems) does the slowing down still occur?  

And the reverse, if a non affected user move to a location where the problem occurs is that user affected?
0
 

Author Comment

by:Robert Mohr
ID: 39904569
Here are two people and their scenarios -

ME
I log into my physical PC and the login time takes long time
I log into a virtual machine (vmware) and login time is quick
I log into a laptop and it takes a long time.

A User
A user Logs into a VM and it takes a long time
A user logs into a laptop and it takes a long time

Not sure if this is profile related. Profile related means I would have a profile follow/roaming profiles turned on which I don't. Users can log into any PC with their credentials but profile settings are not carried over from one machine to the next.

Is there a log that shows what is going on during those 5 mintues of black screen?
0
 
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 39906473
How about any folder redirection?

Do you use DHCP to set workstation TCP/IP settings, or are they manual?

Are there any consistencies between the machines you're testing?  That is, if you log in to the same VM that the user logs in to, does it take a long time or is it quick? As dbrunton said, we need to figure out if it follows the user from machine to machine, or if it is certain machines that are causing the issue.
0
 

Author Comment

by:Robert Mohr
ID: 39907845
FINALLY! Figured it out.

We had a server with several mapped network drives that was not responding.
When users scripts would attempt to run it would hang on that servers shares because it couldn't connect.

We ended up killing the auditing software that was running on this server causing it to hang, reboot and all users lost their black screens because they could connect to the shares once again on that server.

All the above helped however uncover DNS issues in our environment along with Group Policy issues both of which were unrelated to the black screen!
0

Join & Write a Comment

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
OfficeMate Freezes on login or does not load after login credentials are input.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now