I was so frustrated with the issue, I posted it on r/sysadmin looking for guidance. Thankfully, this experience has taught me a lot about troubleshooting logon/logoff issues. You may be dealing with a similar issue, so let's get started!
If you are troubleshooting a client Windows OS (not Server Edition), the first step is to enable "VerboseStatus" so you can see which part of the logon process is getting stuck. Instead of seeing "Welcome" for several minutes, it might hang on "Applying Desktop Redirection" or "Applying User Settings" which would give you some indication of the root cause.
To use enable verbose status messages by editing the registry, follow these steps:
- Click Start, and then click Run.
- In the Open box, type regedit, and then click OK.
- Locate and then click the following registry key:
- On the Edit menu, point to New, and then click DWORD Value.
- Type verbosestatus, and then press ENTER.
- Double-click the new key that you created, type 1 in the Value data box, and then click OK.
- Quit Registry Editor.
Note Windows does not display status messages if the following key is present and the value is set to 1:
I would argue that the vast majority of logon issues are caused by poorly designed or poorly optimized Group Policy Objects. The quickest way to troubleshoot a logon/logoff issue is to create a "Test" organizational unit with Blocked Inheritance and move your workstation into that Organizational Unit. User policies will still be applied, so you may want to make a test user and move them into the "Test" organizational unit as well.
From there, open an elevated Command Prompt and run the following command: gpresult /h C:\results.html
Open the results file (C:\results.html) in your web browser and confirm that no policies are being applied. If the issue doesn't exist under your Test User and Test Workstation, then you have identified one of your Group Policy Objects as the culprit. I would begin slowly adding your Group Policy Objects until you have identified a policy that is breaking your logon.
The most common issues are with logon/logoff scripts, Desktop Redirection, drive maps, and roaming profiles. All of these can be optimized with additional Group Policy Object settings, so I would Google some recommendations online once you have identified the root cause.
So, you are still experiencing the logon issue after eliminating Group Policy from the equation? I would begin with eliminating every variable possible by using a fresh Windows installation (from the .iso), joining it to the domain in the Blocked Inheritance "Test" OU, logging on as the Test user, and see if the issues persist.
If the issues do not persist, you likely have an issue in the images you are deploying to your workstations/laptops. Wireshark and Sysinternals Process Monitor will come in handy in this case.
- [TechNet] So, you have a slow logon ....
- How can I use Wireshark to analyze slow Active Directory logins?
You can always use port mirroring from a managed switch or setup a VM on your workstation and run Wireshark on the host.
Even on a fresh Windows 7 install, joined to the domain with no policies applied... my logon/logoff issues still existed. It was starting to drive me crazy! Why? Because our domain controllers had public IP addresses with all ports open (but firewalled to not accept authentication from off campus) so the domain-joined laptop would spend the first five minutes constantly sending TCP Retransmissions to the domain controllers until it gave up and relied on cached credentials.