We help IT Professionals succeed at work.

AD users login process is taking to long

99 Views
Last Modified: 2020-10-08
Dear All,

AD users login process  is taking too long. If i login with local user its loging normally.

Kindly please suggest me how can i find out issue and resolve .

please suggest me troubleshoot steps
Comment
Watch Question

Lasse BodilsenSystem administrator
CERTIFIED EXPERT

Commented:
We might need some more information to solve this.

1. Start by looking in the event viewer of the AD and client, to see if any errors get logged.  

Author

Commented:
I really appreciate you suggestions , I will check and update you
please suggest me more trouble shoot steps.
Lasse BodilsenSystem administrator
CERTIFIED EXPERT

Commented:
I would go with this to start with.

2. Check that the Client is on the same network as the AD
3. Check that you can ping the Domain controller from the Client
4. Check logon script for any process that take to long


Author

Commented:
Hi,
Thanks,
can you please explain more about logon script?
Hello ThereSystem Administrator
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
Does it affect one user or multiple users? How long does it take to load a profile? 

Lasse BodilsenSystem administrator
CERTIFIED EXPERT

Commented:
if your AD is configured with a Group policy where a logon script get executed.  You might look to see if any command takes to long.  

But lets check the other things first.
Hello ThereSystem Administrator
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
What do you see on the screen during the logon process?

Author

Commented:
Hi Hello There,

It is taking 5 to 10 minute and it is showing loading profile. 
Hello ThereSystem Administrator
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
This might happen for various reasons.

Is it a roaming profile? It might take some time to load a profile.
Also, it might be a DNS related issue. Check which DNS server is set as a primary DNS server.
What GPOs and logon scripts are applied? It might affect it too.
Any folder redirection in a play?

Author

Commented:
Hi There,

Is it a roaming profile? It might take some time to load a profile.

No raoming profile.

What GPOs and logon scripts are applied? It might affect it too.
I didnt get through, can you please give me small summary
Any folder redirection in a play?
I will check this
Hello ThereSystem Administrator
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
GPO with mapping printers, mapping drives, a ton of dead or misconfigured GPOs trying to process might cause slow logons.

However, I would focus on DNS and folder redirection in the first place.  

Lasse BodilsenSystem administrator
CERTIFIED EXPERT

Commented:
way back some 15 years ago, i had a similar problem.
I do not recall how I solved it back then, but do remember that I found the clue to the answer in the event viewer.

Does login work faster if you disconnect the cable/wifi?

CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Trouble shooting slow logon times should be started with activating highly detailed status messages as seen here: https://troubleshooter.xyz/wiki/enable-verbose-or-highly-detailed-status-messages-in-windows-10/ 
Can be deployed using GPO, of course.
With these messages, you'll be able to see where it spends most of the logon time and then analyse that phase.

Author

Commented:
Hi All,

It is happending  only remote users who is working from home. When the network cable removed there is no issue.
Before one week it is working fine..There is nochnages made on Server side.
Lasse BodilsenSystem administrator
CERTIFIED EXPERT

Commented:
How does these remote users access the system.  
1. Do they logon to their PC, and then connect to a VPN service
2. Do they connect to VPN first, and then logon?

If the later, I would check that their password is not expired in the AD.

Author

Commented:
 Hi Lase ,
Yes they logon to their PC, and then connect to a VPN service


CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Feedback for me too, please.
Lasse BodilsenSystem administrator
CERTIFIED EXPERT

Commented:
Have they been working from home for about 30days?  

might seems like a strange question, but maybe the Machine account password have expired, and needs to renewed.

Author

Commented:
No Password is not expired . I checked already
Lasse BodilsenSystem administrator
CERTIFIED EXPERT

Commented:

Author

Commented:
Hi McKnife ,

I enable verbose login , it is not showing anything only showing welcome
There is no logon script enabled on gpo also
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
"it is not showing anything" - can't be. That means, the policy has not applied, yet. You would always see something like "applying registry policy" for example.

Author

Commented:
Hi All,

Verbose status is already enabled on registory. please find the below screenshot.
 while login
its shwoing  only welcome message.
When the pc is connected domain network its working fine.and if i disable network then logout and login  its working fine.
 when pc is connect in other network then login will take long.(there is no communication on domain controller)
I tried below steps:
   1. Uninstall Antivirus
   2.  Disjoin and rejoin domain
   3. Removed from the all group policy
   4.There is no update installed on last month

CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
You need to reboot after setting this - twice, eventually, for it to become active. Just tested it again and it worked on the second reboot after setting that reg key and ever after.

Author

Commented:
Hi Knife,

I have restarted two three time, but no luck, please suggest me what will do the next steps.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Sorry, to ask, but "how" do you restart? A restart is not shutdown and turn on again.
You will be able to make that policy work on any clean system.

Author

Commented:
Hi,

I have click on restart button and restarted PC(Windows start button > Power > Restart)
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Ok, no idea why this won't work for you. Any new client will show messages as you would see if you tried on another clean machine.

So what's left is to check event logs and of course you could move both the user and computer to an OU that blocks policies (inheritance disabled) and restart the machine to see if policies are a factor here.


Author

Commented:
Hi All ,

I couldnt solve theis issue yet . Please find the below events logon.




=====================================================================================================
07/05/2020 14:04:28 : DNS Client Events : 8020

The system failed to register host (A or AAAA) resource records (RRs) for network adapter
with settings:

           Adapter Name : {D2754B9D-86F5-42C1-BEDC-D3B8C4621821}
           Host Name : PC1
           Primary Domain Suffix : test.com
           DNS server list :
                192.168.22.1
           Sent update to server : 97.74.8.59:53

           IP Address(es) :
             192.168.22.106

The reason the system could not register these RRs during the update request was because of a system problem. You can manually retry DNS registration of the network adapter and its settings by typing 'ipconfig /registerdns' at the command prompt. If problems still persist, contact your DNS server or network systems administrator. See event details for specific error code information.
=====================================================================================================
07/05/2020 14:04:37 : WinLogon : User Log-on Notification for Customer Experience Improvement Program
======================================================================================================
07/05/2020 14:04:37 : Group Policy : Event ID : 1129
The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has successfully processed. If you do not see a success message for several hours, then contact your administrator.
========================================================================================
07/05/2020 14:04:38 :Service Control Manager  Event ID :7034
The Windows Biometric Service service terminated unexpectedly. It has done this 390 time(s).
==============================================================================================
07/05/2020 14:04:41 DistributedCOM :Event ID : 10016
The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}
 and APPID
{4839DDB7-58C2-48F5-8283-E1D1807D0D7D}
 to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Hello ThereSystem Administrator
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
Can you run this successfully?
nslookup -q=SRV _ldap._tcp.dc.youraddomainname

Author

Commented:
Hi Hello,
do you want run this command from domain connected PC.( communicate to dc).

Author

Commented:
there is no communication between affected PC and domain controller
if I connected vpn it is working fine(logon is working normally)
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Aha, you should have mentioned that in the first place: it happens only when disconnected from the domain.
So does that happen on more than one machine?
Do you use fixed IP or DHCP?
Hello ThereSystem Administrator
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
Are you saying that slow logon happens only when you are not connected to the domain and you use cashed credentials?

Author

Commented:
Hi Hello There,

Yes.
 Example :if  i connect my pc  from  home, it very slow login.( There is no connection to domain controller)
                 if I connected PC from office  it is login normally. 
Hello ThereSystem Administrator
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
If you are off the domain, you might experience slow logons. The computer is probably trying to search and check against your domain which is currently unreachable, Group Policy processing might fail because of no connectivity to a DC, the same applies for logon scripts, mapped drives... and that's why you probably experience this.

You might help it a bit configuring "Always Wait for the Network at Computer Startup and Logon " policy:
Computer Configuration -> Administrative Templates -> System -> Logon  -> Always Wait for the Network at Computer Startup and Logon

Also, you might want to consider configuring these policies:

Maximum wait time for Group Policy scripts

Run logon scripts synchronously
Group Policy slow link detection
Configure slow-link mode.

An interesting discussion with a similar problem.
https://www.experts-exchange.com/questions/27953277/Slow-Windows-7-logon-using-cached-credentials.html

Author

Commented:
Hi Hello There,

Thank you sharing those discussion. Issue is look like similar.
is it possible to delete existing group policy from the pc?
 is it any tool availabele for trace windows log process with duration. I tried with AnalyzeLogonDuration scripy. but it is only ussable for rdp session .
System Administrator
CERTIFIED EXPERT
Distinguished Expert 2018
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.