Unlocking all computers takes 25 or so seconds, what gives?

Mike Schrock
Mike Schrock used Ask the Experts™
on
Ok Experts here is a dozy for us...
Unlocking domain accounts on our computers takes about 20 seconds, doesn't matter the hardware, old computers, new computers, doesn't matter. Started Monday, no changes to Group Policy were made.
Additional info: Remoting (RDP) into the computer is instant, like it should be, being physically at it seems to cause the issue. Any computer is doing this doesn't matter the specs, how many monitors, and/or what video card make/model. All the computers are Dell and the hardware firmware and driver versions doesn't matter either.
Background: We needed to turn off the AppReadiness service due to several users getting black screens after login, you could run commands manually however explorer wouldn't load.
We were very behind on updates on all of our compute devices and seem to have caught up, however this is annoying us now.

Please let me know if any additional information is needed, the whole RDP is OK but physical is not is really puzzling us. Logon does take a hair longer as well, but folks aren't complaining to us about it.

Thank you!!
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Checked event logs? I would expect some clues there.
Mike SchrockIT Operations Manager

Author

Commented:
Nothing matching in the event logs on the computer, nothing abnormal.
Top Expert 2013

Commented:
test if it happens after a system restore to a date it was ok - then check what happens -  updates etc...
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Mike SchrockIT Operations Manager

Author

Commented:
The restore yields the same results, it claims no updates were done. Local accounts login/unlock with no delay, only domain accounts and only when physically at the machine.
This one is a dozy for sure.
Shaun VermaakSenior Consultant
Awarded 2017
Distinguished Expert 2018

Commented:
Check if cached logons were disabled
Mike SchrockIT Operations Manager

Author

Commented:
@Shaun Vermaak - Not 100% sure on where to check, did some digging though:
Network access: Do not allow storage of passwords and credentials for network authentication - is not defined.
Interactive logon: Number of previous logons to cache (in case domain controller is not available) - is not defined.

If these aren't it, let me know.
We know it is domain related, but one piece that doesn't make sense is why when remoting in VIA RDP is it instant...
Distinguished Expert 2018

Commented:
not defined means 10 logons are cached by default, so that's not the problem. If RDP is fast, local accounts at the console are fast, domain accounts at the console are slow - that could mean, you have GPOs that are applied to users only if they use the console way to logon… is that even possible? Shaun, what do you say?

Anyway, you should be able to find it out this way: logon as administrator and start procmon. Now switch the account (disconnect the administrator session while having procmon record anything) and see what that Log brings up.
Mike SchrockIT Operations Manager

Author

Commented:
I haven't done desktops in a long while, so most of what is going on in procmon looks normal, however I could be mistaken. I tried uploading however there is a cap to what I can :/
I'll try to limit it down and upload, unless there is another way to get another set of eyes on it.
Distinguished Expert 2018

Commented:
Filter the log and drop things that don't matter. Zip it. If that doesn't suffice, use Mozilla's upload service: https://send.firefox.com
Mike SchrockIT Operations Manager

Author

Commented:
I was unable to cut it down enough, here is the send FF link: https://send.firefox.com/download/61bdf6a97169ecbc/#eLWyBH2JKFuYLAVfkabaLg
Thank you!
Top Expert 2016

Commented:
Unlocking domain accounts on our computers takes about 20 second

Windows lock screen? Locked Account (due to password failures)
Mike SchrockIT Operations Manager

Author

Commented:
@David Johnson - There are no password failures - it just sits stating welcome with the spinning wheel for about 20 seconds, then unlocks. If remoting into the computer, it is instant (onsite or offsite).
Distinguished Expert 2018

Commented:
Will not be able to look at the log before Sunday evening.
Mike SchrockIT Operations Manager

Author

Commented:
No worries at all, been all week and weekends are ghost town, I really do appreciate the look through.
Top Expert 2016

Commented:
I would suggest using the Windows performance analyzer to find out where the hangup us.
Distinguished Expert 2018

Commented:
Mike, could you please re-upload it? The link must have expired and is no longer working.
Mike SchrockIT Operations Manager

Author

Commented:
Distinguished Expert 2018

Commented:
Zip that please and re-upload. I will not download 1 GB.
Top Expert 2016

Commented:
Mike SchrockIT Operations Manager

Author

Commented:
Thank you David and McKnife
Distinguished Expert 2018

Commented:
David, that link is already expired, since somebody else downloaded it :-) It expires after one day or one download, whatever happens first… So have another go, just for me (Send via private message, please)
Top Expert 2016

Commented:
pml files to me are pretty much useless windows performance toolkit will telll me if its waiting on cpu/disk and the time that it is waiting
Mike SchrockIT Operations Manager

Author

Commented:
@David Johnson, I'll try and get this going tomorrow with some results. I dont feel it is computer hardware related, more on process or windows, if we use a local account or RDP in it is normal load times.

Thank you!
Distinguished Expert 2018

Commented:
Hi Mike.

Having quite a time with your logfile! It will be almost impossible to diagnose if you don't get rid of all these background processes!
Please stop all 3rd party services. All. No VNC, no LanControl, no Cylance… so open msconfig and disable anything non-Microsoft in the services section and restart. See if the problem even happens, then and if it does, create a new zipped logfile and upload it. If you manage to reduce it to the time the logon problem occurs, it will (zipped) surely be much smaller than 50 MB and uploadable here.
Mike SchrockIT Operations Manager

Author

Commented:
I'll see if I can get a clean computer to do this on or do it on mine tomorrow morning.
Top Expert 2016

Commented:
Mike SchrockIT Operations Manager

Author

Commented:
I was trying to run the PROCMon under the 'Diagnostic  startup' options in MSCONFIG.
I couldn't do anything (including get to procmon cause it stored on the network) however the computer unlocked as it should.
I'll still try and get a clean procmon of it however doing that while working fine seems rather futile.
Attached are some snips of services that were running while in diag mode and normal boot. I'll start with biggies first to see which one is causing this odd issue, if anyone has suggestions on which to try first I'm up for it as this list is rather long.
diagstart.JPG
activeservices.jpg
Distinguished Expert 2018

Commented:
It should be a matter of 5 or 6 restarts to find out which service is the culprit.
Use msconfig to disable the startup of the upper half of 3rd party ("non-microsoft") services - reboot. If the problem is still present, disable the upper half of the remaining half - restart and so on until you find it.
Mike SchrockIT Operations Manager

Author

Commented:
Will do, may need to find a computer to test this on as I cant have mine out for the count like this. Will circle back with findings.

Thank you!
Mike SchrockIT Operations Manager

Author

Commented:
Ok it is narrowed down to one of these fine services:

DHCP Client
DNS Client
Network Store Interface Service
Security Center
System Guard Runtime Monitor
WinHTTP Web Proxy

I'll need to disable these manually in registry, seems like a fine thing to do tomorrow.
Most likely going to do the four on the bottom first.
Mike SchrockIT Operations Manager

Author

Commented:
Apologies for the delay - The rest of the services didn't help, when the network is killed the computer unlocks as it should under domain accounts (I did manage to kill the computer I was using).
So I think that should eliminate group policy and something local on the machine(s).

gggrrrrrrrrr
Distinguished Expert 2018

Commented:
And you did eliminate all 3rd party services from the equation?
Mike SchrockIT Operations Manager

Author

Commented:
Yes - I was down to base windows then turned those off
On a normally working station now, I can just kill (disable) the network connection and things are ok unlocking.
Distinguished Expert 2018

Commented:
Makes no sense at all. RDP should suffer from the same.
Mike SchrockIT Operations Manager

Author

Commented:
I agree! I'm thinking about expanding the topics, any suggestions?
Distinguished Expert 2018

Commented:
Not needed. I suggest that you review your findings. Cannot believe it's windows' internal. I am certain that it's not.

Install windows clean and test, the problem will not occur. Then add software one by one and test.
Mike SchrockIT Operations Manager

Author

Commented:
I'll start with wiping the machine I borked before.
Top Expert 2016

Commented:
capture a boot and logon -- probably gpo related
Mike SchrockIT Operations Manager

Author

Commented:
Cant discount that fully, however even with the network disconnected, shouldn't GPO's still run locally?
Top Expert 2016

Commented:
gpo's don't run locally until they are pulled from the server. Without the network only the local gpo policy will run
Distinguished Expert 2018

Commented:
GPOs run offline. Everything is saved locally and will run until revoked. Also, they will run when logging on from remote - but he has no problem when logging on from remote.

This is nothing you would normally expect to happen under any circumstances. It has to be an interference with 3rd party software.
Mike SchrockIT Operations Manager

Author

Commented:
Should know on Monday when finishing up a fresh install.
Mike SchrockIT Operations Manager

Author

Commented:
Ok here is the latest and greatest -
Wiped the machine and re-added to domain, unlocking as should, our AV and RMM get installed automagically (GPO) so we can at least rule them out.
An admin said removing it from the domain and re-adding it seemed to be working for him, tried on test machine, working.
     -tried on my machine, working (did have a bit of a domain trust issue at the start however that is on me)

So - going around to 150 machines on 6 different sites would be a giant pain, anyone have any ideas on how to combat re-adding to domain without actually doing it?
Distinguished Expert 2018

Commented:
I'd manually unjoin and rejoin a few and wait 2 days to see if it really helped before going on.
Mike SchrockIT Operations Manager

Author

Commented:
Will do, I think we have good test group of 4 at the moment, some diva's will want it as well once the word start spreading.
Mike SchrockIT Operations Manager

Author

Commented:
Still going strong after the domain re-add.
Now just to find a way to do this without actually doing it...
Also resetting the computer account in AD doesn't fix it, just breaks the trust.
Distinguished Expert 2018
Commented:
https://www.windows-commandline.com/join-computer-to-domain-from-command/
This could help, but you need to figure out how to automate this - I never did this. Maybe you can deploy it as a scheduled task that works in this manner:
->are you joined? Yes! Then disjoin and reboot.
->are you domain joined? No? then perform the join and delete the task (schtasks /delete /tn jointaskname)
Mike SchrockIT Operations Manager

Author

Commented:
Yeah I will need to, I can use our RMM to do this as well and that should really help out in this instance.
I'm going to mark this as solved. I would really like to thank McKnife and David Johnson for sticking with it, was a dozy for sure.
Mike SchrockIT Operations Manager

Author

Commented:
Thank you all for this one!
Distinguished Expert 2018

Commented:
Take care with that task - don't insert domain admin credentials before you make sure that users cannot read that task.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial