AD users login process is taking to long

We might need some more information to solve this.

1. Start by looking in the event viewer of the AD and client, to see if any errors get logged.  

I really appreciate you suggestions , I will check and update you
please suggest me more trouble shoot steps.

I would go with this to start with.

2. Check that the Client is on the same network as the AD
3. Check that you can ping the Domain controller from the Client
4. Check logon script for any process that take to long

Hi,
Thanks,
can you please explain more about logon script?

Does it affect one user or multiple users? How long does it take to load a profile? 

if your AD is configured with a Group policy where a logon script get executed.  You might look to see if any command takes to long.  

But lets check the other things first.

What do you see on the screen during the logon process?

Hi Hello There,

It is taking 5 to 10 minute and it is showing loading profile. 

This might happen for various reasons.

Is it a roaming profile? It might take some time to load a profile.
Also, it might be a DNS related issue. Check which DNS server is set as a primary DNS server.
What GPOs and logon scripts are applied? It might affect it too.
Any folder redirection in a play?

Hi There,

Is it a roaming profile? It might take some time to load a profile.

No raoming profile.

What GPOs and logon scripts are applied? It might affect it too.
I didnt get through, can you please give me small summary
Any folder redirection in a play?
I will check this

GPO with mapping printers, mapping drives, a ton of dead or misconfigured GPOs trying to process might cause slow logons.

However, I would focus on DNS and folder redirection in the first place.  

way back some 15 years ago, i had a similar problem.
I do not recall how I solved it back then, but do remember that I found the clue to the answer in the event viewer.

Does login work faster if you disconnect the cable/wifi?

Trouble shooting slow logon times should be started with activating highly detailed status messages as seen here: https://troubleshooter.xyz/wiki/enable-verbose-or-highly-detailed-status-messages-in-windows-10/ 
Can be deployed using GPO, of course.
With these messages, you'll be able to see where it spends most of the logon time and then analyse that phase.

Hi All,

It is happending  only remote users who is working from home. When the network cable removed there is no issue.
Before one week it is working fine..There is nochnages made on Server side.

How does these remote users access the system.  
1. Do they logon to their PC, and then connect to a VPN service
2. Do they connect to VPN first, and then logon?

If the later, I would check that their password is not expired in the AD.

 Hi Lase ,
Yes they logon to their PC, and then connect to a VPN service

Feedback for me too, please.

Have they been working from home for about 30days?  

might seems like a strange question, but maybe the Machine account password have expired, and needs to renewed.

No Password is not expired . I checked already

Hi Muahammad
Machine account password, is not the same as User password.

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/reset-computermachinepassword?view=powershell-5.1 

Hi McKnife ,

I enable verbose login , it is not showing anything only showing welcome
There is no logon script enabled on gpo also

"it is not showing anything" - can't be. That means, the policy has not applied, yet. You would always see something like "applying registry policy" for example.

Hi All,

Verbose status is already enabled on registory. please find the below screenshot.
 while login its shwoing  only welcome message.
When the pc is connected domain network its working fine.and if i disable network then logout and login  its working fine.
 when pc is connect in other network then login will take long.(there is no communication on domain controller)
I tried below steps:
   1. Uninstall Antivirus
   2.  Disjoin and rejoin domain
   3. Removed from the all group policy
   4.There is no update installed on last month

You need to reboot after setting this - twice, eventually, for it to become active. Just tested it again and it worked on the second reboot after setting that reg key and ever after.

Hi Knife,

I have restarted two three time, but no luck, please suggest me what will do the next steps.

Sorry, to ask, but "how" do you restart? A restart is not shutdown and turn on again.
You will be able to make that policy work on any clean system.

Hi,

I have click on restart button and restarted PC(Windows start button > Power > Restart)

Ok, no idea why this won't work for you. Any new client will show messages as you would see if you tried on another clean machine.

So what's left is to check event logs and of course you could move both the user and computer to an OU that blocks policies (inheritance disabled) and restart the machine to see if policies are a factor here.

Hi All ,

I couldnt solve theis issue yet . Please find the below events logon.




=====================================================================================================
07/05/2020 14:04:28 : DNS Client Events : 8020

The system failed to register host (A or AAAA) resource records (RRs) for network adapter
with settings:

           Adapter Name : {D2754B9D-86F5-42C1-BEDC-D3B8C4621821}
           Host Name : PC1
           Primary Domain Suffix : test.com
           DNS server list :
                192.168.22.1
           Sent update to server : 97.74.8.59:53

           IP Address(es) :
             192.168.22.106

The reason the system could not register these RRs during the update request was because of a system problem. You can manually retry DNS registration of the network adapter and its settings by typing 'ipconfig /registerdns' at the command prompt. If problems still persist, contact your DNS server or network systems administrator. See event details for specific error code information.
=====================================================================================================
07/05/2020 14:04:37 : WinLogon : User Log-on Notification for Customer Experience Improvement Program
======================================================================================================
07/05/2020 14:04:37 : Group Policy : Event ID : 1129
The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has successfully processed. If you do not see a success message for several hours, then contact your administrator.
========================================================================================
07/05/2020 14:04:38 :Service Control Manager  Event ID :7034
The Windows Biometric Service service terminated unexpectedly. It has done this 390 time(s).
==============================================================================================
07/05/2020 14:04:41 DistributedCOM :Event ID : 10016
The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}
 and APPID
{4839DDB7-58C2-48F5-8283-E1D1807D0D7D}
 to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Can you run this successfully?

nslookup -q=SRV _ldap._tcp.dc.youraddomainname

Select allOpen in new window

Hi Hello,
do you want run this command from domain connected PC.( communicate to dc).

there is no communication between affected PC and domain controller
if I connected vpn it is working fine(logon is working normally)

Aha, you should have mentioned that in the first place: it happens only when disconnected from the domain.
So does that happen on more than one machine?
Do you use fixed IP or DHCP?

Are you saying that slow logon happens only when you are not connected to the domain and you use cashed credentials?

Hi Hello There,

Yes.
 Example :if  i connect my pc  from  home, it very slow login.( There is no connection to domain controller)
                 if I connected PC from office  it is login normally. 

If you are off the domain, you might experience slow logons. The computer is probably trying to search and check against your domain which is currently unreachable, Group Policy processing might fail because of no connectivity to a DC, the same applies for logon scripts, mapped drives... and that's why you probably experience this.

You might help it a bit configuring "Always Wait for the Network at Computer Startup and Logon " policy:
Computer Configuration -> Administrative Templates -> System -> Logon  -> Always Wait for the Network at Computer Startup and Logon

Also, you might want to consider configuring these policies:

Maximum wait time for Group Policy scripts

Run logon scripts synchronously
Group Policy slow link detection
Configure slow-link mode.

An interesting discussion with a similar problem.
https://www.experts-exchange.com/questions/27953277/Slow-Windows-7-logon-using-cached-credentials.html

Hi Hello There,

Thank you sharing those discussion. Issue is look like similar.
is it possible to delete existing group policy from the pc?
 is it any tool availabele for trace windows log process with duration. I tried with AnalyzeLogonDuration scripy. but it is only ussable for rdp session .