Link to home
Start Free TrialLog in
Avatar of Mike Schrock
Mike SchrockFlag for United States of America

asked on

Unlocking all computers takes 25 or so seconds, what gives?

Ok Experts here is a dozy for us...
Unlocking domain accounts on our computers takes about 20 seconds, doesn't matter the hardware, old computers, new computers, doesn't matter. Started Monday, no changes to Group Policy were made.
Additional info: Remoting (RDP) into the computer is instant, like it should be, being physically at it seems to cause the issue. Any computer is doing this doesn't matter the specs, how many monitors, and/or what video card make/model. All the computers are Dell and the hardware firmware and driver versions doesn't matter either.
Background: We needed to turn off the AppReadiness service due to several users getting black screens after login, you could run commands manually however explorer wouldn't load.
We were very behind on updates on all of our compute devices and seem to have caught up, however this is annoying us now.

Please let me know if any additional information is needed, the whole RDP is OK but physical is not is really puzzling us. Logon does take a hair longer as well, but folks aren't complaining to us about it.

Thank you!!
Avatar of Mal Osborne
Mal Osborne
Flag of Australia image

Checked event logs? I would expect some clues there.
Avatar of Mike Schrock

ASKER

Nothing matching in the event logs on the computer, nothing abnormal.
test if it happens after a system restore to a date it was ok - then check what happens -  updates etc...
The restore yields the same results, it claims no updates were done. Local accounts login/unlock with no delay, only domain accounts and only when physically at the machine.
This one is a dozy for sure.
Check if cached logons were disabled
@Shaun Vermaak - Not 100% sure on where to check, did some digging though:
Network access: Do not allow storage of passwords and credentials for network authentication - is not defined.
Interactive logon: Number of previous logons to cache (in case domain controller is not available) - is not defined.

If these aren't it, let me know.
We know it is domain related, but one piece that doesn't make sense is why when remoting in VIA RDP is it instant...
not defined means 10 logons are cached by default, so that's not the problem. If RDP is fast, local accounts at the console are fast, domain accounts at the console are slow - that could mean, you have GPOs that are applied to users only if they use the console way to logon… is that even possible? Shaun, what do you say?

Anyway, you should be able to find it out this way: logon as administrator and start procmon. Now switch the account (disconnect the administrator session while having procmon record anything) and see what that Log brings up.
I haven't done desktops in a long while, so most of what is going on in procmon looks normal, however I could be mistaken. I tried uploading however there is a cap to what I can :/
I'll try to limit it down and upload, unless there is another way to get another set of eyes on it.
Filter the log and drop things that don't matter. Zip it. If that doesn't suffice, use Mozilla's upload service: https://send.firefox.com
I was unable to cut it down enough, here is the send FF link: https://send.firefox.com/download/61bdf6a97169ecbc/#eLWyBH2JKFuYLAVfkabaLg
Thank you!
Unlocking domain accounts on our computers takes about 20 second

Windows lock screen? Locked Account (due to password failures)
@David Johnson - There are no password failures - it just sits stating welcome with the spinning wheel for about 20 seconds, then unlocks. If remoting into the computer, it is instant (onsite or offsite).
Will not be able to look at the log before Sunday evening.
No worries at all, been all week and weekends are ghost town, I really do appreciate the look through.
I would suggest using the Windows performance analyzer to find out where the hangup us.
Mike, could you please re-upload it? The link must have expired and is no longer working.
Zip that please and re-upload. I will not download 1 GB.
Thank you David and McKnife
David, that link is already expired, since somebody else downloaded it :-) It expires after one day or one download, whatever happens first… So have another go, just for me (Send via private message, please)
pml files to me are pretty much useless windows performance toolkit will telll me if its waiting on cpu/disk and the time that it is waiting
@David Johnson, I'll try and get this going tomorrow with some results. I dont feel it is computer hardware related, more on process or windows, if we use a local account or RDP in it is normal load times.

Thank you!
Hi Mike.

Having quite a time with your logfile! It will be almost impossible to diagnose if you don't get rid of all these background processes!
Please stop all 3rd party services. All. No VNC, no LanControl, no Cylance… so open msconfig and disable anything non-Microsoft in the services section and restart. See if the problem even happens, then and if it does, create a new zipped logfile and upload it. If you manage to reduce it to the time the logon problem occurs, it will (zipped) surely be much smaller than 50 MB and uploadable here.
I'll see if I can get a clean computer to do this on or do it on mine tomorrow morning.
I was trying to run the PROCMon under the 'Diagnostic  startup' options in MSCONFIG.
I couldn't do anything (including get to procmon cause it stored on the network) however the computer unlocked as it should.
I'll still try and get a clean procmon of it however doing that while working fine seems rather futile.
Attached are some snips of services that were running while in diag mode and normal boot. I'll start with biggies first to see which one is causing this odd issue, if anyone has suggestions on which to try first I'm up for it as this list is rather long.
diagstart.JPG
activeservices.jpg
It should be a matter of 5 or 6 restarts to find out which service is the culprit.
Use msconfig to disable the startup of the upper half of 3rd party ("non-microsoft") services - reboot. If the problem is still present, disable the upper half of the remaining half - restart and so on until you find it.
Will do, may need to find a computer to test this on as I cant have mine out for the count like this. Will circle back with findings.

Thank you!
Ok it is narrowed down to one of these fine services:

DHCP Client
DNS Client
Network Store Interface Service
Security Center
System Guard Runtime Monitor
WinHTTP Web Proxy

I'll need to disable these manually in registry, seems like a fine thing to do tomorrow.
Most likely going to do the four on the bottom first.
Apologies for the delay - The rest of the services didn't help, when the network is killed the computer unlocks as it should under domain accounts (I did manage to kill the computer I was using).
So I think that should eliminate group policy and something local on the machine(s).

gggrrrrrrrrr
And you did eliminate all 3rd party services from the equation?
Yes - I was down to base windows then turned those off
On a normally working station now, I can just kill (disable) the network connection and things are ok unlocking.
Makes no sense at all. RDP should suffer from the same.
I agree! I'm thinking about expanding the topics, any suggestions?
Not needed. I suggest that you review your findings. Cannot believe it's windows' internal. I am certain that it's not.

Install windows clean and test, the problem will not occur. Then add software one by one and test.
I'll start with wiping the machine I borked before.
capture a boot and logon -- probably gpo related
Cant discount that fully, however even with the network disconnected, shouldn't GPO's still run locally?
gpo's don't run locally until they are pulled from the server. Without the network only the local gpo policy will run
GPOs run offline. Everything is saved locally and will run until revoked. Also, they will run when logging on from remote - but he has no problem when logging on from remote.

This is nothing you would normally expect to happen under any circumstances. It has to be an interference with 3rd party software.
Should know on Monday when finishing up a fresh install.
Ok here is the latest and greatest -
Wiped the machine and re-added to domain, unlocking as should, our AV and RMM get installed automagically (GPO) so we can at least rule them out.
An admin said removing it from the domain and re-adding it seemed to be working for him, tried on test machine, working.
     -tried on my machine, working (did have a bit of a domain trust issue at the start however that is on me)

So - going around to 150 machines on 6 different sites would be a giant pain, anyone have any ideas on how to combat re-adding to domain without actually doing it?
I'd manually unjoin and rejoin a few and wait 2 days to see if it really helped before going on.
Will do, I think we have good test group of 4 at the moment, some diva's will want it as well once the word start spreading.
Still going strong after the domain re-add.
Now just to find a way to do this without actually doing it...
Also resetting the computer account in AD doesn't fix it, just breaks the trust.
ASKER CERTIFIED SOLUTION
Avatar of McKnife
McKnife
Flag of Germany image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Yeah I will need to, I can use our RMM to do this as well and that should really help out in this instance.
I'm going to mark this as solved. I would really like to thank McKnife and David Johnson for sticking with it, was a dozy for sure.
Thank you all for this one!
Take care with that task - don't insert domain admin credentials before you make sure that users cannot read that task.