garethedmondson (29th April 2011)
Domain name is NT Authority. No DNS domain name available. < doesnt look good
Hmmm - I've asked the LEA and they assure me it is fine. I'll go back to them next week.
Although our network has now been changed. The LEA want to use central domain controllers which are stored several miles away in County Hall. We authenticate over the broadband link. We then had our own domain controller put in. It has been taken out now as we look to lower our logon times (it is called yggwyr-dc in the log file).
I'll run the tests again with the machines now pointing at the LEA dns servers.
Last edited by garethedmondson; 22nd April 2011 at 09:01 PM.
We have some things like LAN school where you can set the channel number using a GPO, so we have one GPO for each channel we use - 28 in total just for that, obviously each OU only has one of these applied. We have a seperate GPO for each MSI we deploy, and settings like Wireless and offline files have their own specific policies. All the rest of the settings are defined by a further 6 GPOs - machine policies for staff, students and net admins, and user policies for the same groups.
Unfortunitely out main staff and students group policiy has some errors in it now and I can't run resultant set of policy on it in group policy manager, or get a report of all the settings which is a pain, it still seems to apply to the workstations in good time thou - our login time on a cabled workstation is less than 1 minute which is think is acceptable. Wireless can be a lot longer, but this is down to the wireless speed and not the policies.
Here is the latest file taken from a machine today that is not my test machine.
Here is what stands out to me - even though I do not understand everything..
Feel free to disect :-)
- 22 second gap between rows 614 and 621
- Row 1877 - 59 seconds to reach logon box
- Between 1878 - 1918 - no DNS
- When the user logs on it takes 21 seconds between 3016 and 3020 - to do what?
- No idea what is going on between 3385 - 3400
I've entertained this GPO login times for many years and to be honest It never came down to how many GPOs you had... As long as you know what the GPOs do and what scripts they are running and double check that the scripts are valid then it shouldn't be an issue.
More often it was down to DNS settings and Nic drivers. In my experiments I found that Realteks and Intel cards had a much better login performance than Marvells and broadcoms.
Other factors I found with login times were folder redirection and profiles and how you managed the redirection of profile app data.
Also this is something that made a difference if it was down to profiles. In our case we had roaming profiles, and if you google roaming profiles you always get told its a bad thing and if you use them always delete them on log off... well In our case roaming profiles was really the only logical way in our organistion...But deleting the profiles on logoff made things a lot slower overall. I found that keeping cached copies and removing them every few months or so vastly sped up login times.
The second OU is my test OU. Here we have been adding GPOs one at a time. I've recreated my IE GPO based on a new .adm file. Seems I was using an old one (IE7 .adm file) - so that's been updated. The logon time was around 9 seconds. However, I've just added a GPO that contains a script to map a drive - whoosh - logon time suddenly increases. Yet this script has to be there. We will be looking at it again on Monday.
Did you see anything of interest in the log file?
The scripts are vbs.
Try changing the script for a simple .bat file and see if that helps.
Do you have any problems running to the folder where the script is located?
1. Check to see of the machine is in the SuccessMaker security group.
2. If Yes - unmap the LEA M drive and remap it to the SuccessMaker server.
I'm sure the script does more than that but cannot get access to it at the moment.
If the script does not run SuccessMaker does not work. However we know the script is running and M is being remapped.
Today we started tidying up our GPOs and managed to consolidate a couple into one larger one. We knew the settings worked so slapped them all together. Also created a GPO to install Base software for when a machine is built. When looking at the logs from Policy Reporter we can see each policy being loaded and read - now this must take a little bit of time (even if it is milliseconds) - so are working on the assumption that less policies is better than more policies.
There are currently 1 users browsing this thread. (0 members and 1 guests)