So, we've been struggling for quite some time with a slow login problem. It's apparently school districts all over having these troubles. I will hopefully be sharing my solution with one of my fellow districts sometime soon and I hope it can help them.
So, logins had been taking up to 45 minutes, which is ridiculous. By the time the kids got logged in, it was time for them to go. Usually, they didn't even get logged in before they had to go, so they tend to hold in the power buttons to turn the computers off by force. This causes a completely separate problem that can only be solved my reimaging the machines. Microsoft knew about it and had been working on a fix for quite a while. Amazing the difference it will make in the higher ups blaming you when people all over the place are having the same problem after microsoft puts out a 90, let me be very clear, NINETY hotfix rollup.
I'd found that a combo of a profile cleaning script and two hotfixes on shutdown had a profound effect when combined with a high lsass utilization hotfix on the server. For profiles that hadn't been created before the hotfixes were applied, logins came down to three minutes or under. Still a little pokey, but a vast improvement. After the 90 hotfix rollup was also pushed out to the workstations and servers, it halved the three minute logins. So, long story short, don't don't don't do this on startup. This will make people freak out, because it takes about four or five minutes to run as a shutdown script in group policy. Most people couldn't care less how long it takes for their computer to shut down, but they will squawk like biddies if their computers hang on startup. They are also likely to force them to turn off instead of letting the scripts run. This will corrupt their computers worse and make them even slower.
So, in short, what it appears to take to fix slow computer lab logins in a large scale k-12 AD domain is to:
1. Clean student profiles on shut down. Use a profile cleaning VBScript with an exception list so you don't delete public and default profiles by accident. Make sure it doesn't clean teacher profiles either. They like to save stuff to their desktops.
2. Install the 2 hotfixes for Folder redirection and item level targeted group policy shortcuts. If anybody actually reads this blog, comment on it and I'll include the specific hotfix numbers.
3. Install the high lsass utilization hotfix on the DCs. Again, ask me and I'll provide the numbers. I can't remember them off the top of my head.
4. Install the 90 hotfix rollup to both the DCs and workstations.
5. Make sure you don't have duplicated stuff in your group policy. Also make sure shortcuts that don't have to be targeted aren't and you aren't pointing to stuff that doesn't exist.
6. Disable IPv6 in the registry. Don't lie, you're not using it.
So. That's it. Appears to be the snazzy fix for slow logins, at least for us. I've rolled it out to three middle schools and they are happy about it. Soon high schools, then other districts. Again, if anybody reads this and I can help with your slow login ridiculousness, let me know.
No comments:
Post a Comment