Re: Erratic slow login Win2k3 from XP SP2 - Profile GPO issue log

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

On Jul 31, 8:59 am, "Roger Abell [MVP]" <mvpNoS...@xxxxxxx> wrote:
Hi Conor,

Thanks for clarifying infra support is valid
WINS issue should not really be an relevant if Kerberos is being used.

Of your numbered list, I agree, what you are seeing seems to rule
out 4 and 6. I guess I do not understand why you listed 5 as you
elsewhere indicated that problem seems to be with computer policy
not user - well, earlier you said user login is of irregular delay so
I guess I do see your mention of login/profile processing.
It should be fairly easy to rule out 2 right? with a temp suspend of
the AV product.
I see your 3 more as a significant observation than as a source.
So, Sysvol access (1). It really would not be access control issues
so much as access problems.

Are the machines and users authenticating to the DCs via Kerberos
or NTLM ?

I am not sure what the attempts to find .Net Framework policy
that is not there as was indicated in trace given in other post, and
I am not replying to that new subthread in hopes another pick up
on it with some ideas on the debug gpupdate processing question.

Roger

"Conor" <Co...@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message

news:D60D29D8-B895-4326-A92D-0E3E1F0A9179@xxxxxxxxxxxxxxxx



Hi Roger,

The clients are XP SP2 and exclusively use AD DNS server for queries and
are
member of the single domain, display this as their primary DNS suffix.

Netdiag and Dcdiag are running without error, except for WINS error, which
should not be an issue (except for login script). So DNS and AD
replication
appear fine, since no event log errors.

Potential issues for this scenario I believe are:
1) Access control problems on Sysvol - cause timeouts?
2) Anti-virus causing problems with the Sysvol.
3) If the gpupdate /force timeout and the first logon of the day issue are
related, both process the
Security policy even if it has not been changed.
4) permission problem GPO in AD - but this should generate errors in
UserEnv.log
5) Timeout in processing login script, profile, CSE
6) Corrupted/bad GPT cuasing slow processing - but no errors in
UserEnvlog?

I discovered how the run RegMon during bootup. SysInternal Psexec can run
Regmon in the local system account so that it captures a trace of your
logon:

psexec s i d c:\sysint\regmon.exe

The delay being experienced has occurred without any obvious changes.
There
is a WINS error, so I will check NetBIOS names within scripts. I will
certainly check script execution for timeout issues, but no changes have
been
introduced and login times have changed substantially.

The delay is in applying the computer policy, where there is one script.
It
takes nearly 7 minutes for the computer policy to apply on this test PC
and 3
seconds to apply the user policy.

09:17:51:093 ApplyGroupPolicy
09:17:51:109 ProcessGPOs: Starting computer Group Policy
09:18:25:437 ProcessGPOs: User name is:
CN=TESTPC,OU=IT_GROUP,OU=DESKTOPS,OU=RESOURCES
09:24:48:877 ProcessGPOs: Leaving with 1

09:24:53:226 ApplyGroupPolicy
09:24:53:336 ProcessGPOs: User name is: CN=TESTUSER,OU= IT_GROUP
09:24:53:711 SearchDSObject: Searching OU= IT_GROUP
09:24:56:606 ProcessGPOs: Leaving with 1- Hide quoted text -

- Show quoted text -

hello there.

as you have stated the issue appears to be a computer related policy.

can you try moving the computer account to a OU that has no policies
applied.restart the computer then try again. if the problem changes
then we can assume that a policy linked to the OU housing your
computers is causing the problem. if thats the case creat a new OU
move a computer to it. now link your policies one at a time to it.
remember to restart the machine each time and try again. that way you
should be able to isolate the problem. A login script is a very likley
cause, as any pauses caused by missing drives (for example) will stop
processing until it times out.

also if you suspect a corrupt policy use "Replmon" to check the status
of your policies. corrupt policies should be acted upon asap, as they
can cause lots of problems.

hope that helps





.

Relevant Pages

  • RE: NT 4 Server User Policies
    ... All of your policies should be located in that one file. ... > have a policy for Marketing and policy for Accounting, ... > Subject: RE: NT 4 Server User Policies ... > As for the login script, do you mean a .cmd/.bat file that calls the ...
    (Security-Basics)
  • RE: NT 4 Server User Policies
    ... All of your policies should be located in that one file. ... have a policy for Marketing and policy for Accounting, ... As for the login script, do you mean a .cmd/.bat file that calls the ... NT 4 Server User Policies ...
    (Security-Basics)
  • Re: Powerful login script??
    ... Another way to solve this is to put your company's policy in the "Message ... > 3000 client computers will need to have SQL Server ODBC/OLEDB drivers installed IF you want the login script to run on each computer ... > The login script will be triggered by a GPO and will always run. ... The script will have logic to determine whether to popup your ...
    (microsoft.public.windows.server.scripting)
  • Re: Logon Script not running on stations
    ... What was the purpose of changing the scope of the login script? ... that once you move it to a container with only computers then user settings ... >I moved a .bat file logon script from the default doamin policy to a OU ...
    (microsoft.public.win2000.networking)
  • Powerful login script??
    ... I've got a question on how powerful a login script can be... ... We've got windows 2000 server with domain ... Show a popup to the client machine during the login and boot up process, ... tick box users can tick to accept the policy. ...
    (microsoft.public.windows.server.scripting)