Hey everyone,
I'm managing IT at a university and I'm facing a significant logon delay issue on our shared workstations. The first time a user logs into a machine, it takes over 20 minutes to process policies. However, subsequent logins for that same user are completely fine.
Here's what I currently have set up for the Group Policy Object (GPO) that's managing this process:
- We're deploying 25 shared network printers using Group Policy Preferences under User Configuration.
- The action is set to "Update".
- I've enabled "Run in logged-on user's security context".
- Item-Level Targeting (ILT) is extensively used, as each printer checks for specific Active Directory Security Group membership individually.
- Loopback processing mode is set to "Merge".
I've already eliminated some potential issues; for instance, Point and Print Restrictions are properly configured. The Computer Configuration policy is enabled and restricted to our designated print server (`wts-print-01.uwo.ca`), and I've set the security prompts to "Do not show warning or elevation prompt" for both driver installation and updates.
I have a few theories about what could be causing this delay:
1. **The ILT Storm:** Could the GPO be executing 25 sequential LDAP queries for ILT and causing a bottleneck during the synchronous logon?
2. **Loopback Overhead:** Is using Loopback "Merge" unnecessarily increasing processing time compared to using "Replace"?
3. **Driver Installation:** Even with security prompts suppressed, is the process of downloading and installing drivers in the user context slowing things down?
I'd love to hear your suggestions on optimizing this situation! Would it be beneficial to group the ILT into folders to lessen queries, or maybe pre-deploy drivers at the machine level? Any insights on the reason behind the lengthy first logon would be greatly appreciated!
5 Answers
I had a similar issue in the past and it turned out the drivers weren’t v4 compatible, leading to errors. I suggest enabling the GPO setting for allowing non-admins to install print drivers. If that works, look into getting v4 drivers for all your printers. It made a difference for me! Check out this guide for setting it up: [Allow Non-Admins to Install Print Drivers](https://theitbros.com/allow-non-admins-install-printer-drivers-via-gpo/)
Have you considered turning on detailed login messages to identify where it's hanging? Usually, printer setups can be the main culprit in these situations.
Switching to a computer policy GPO for printers instead of a user policy generally speeds things up significantly!
1. Not likely; those queries are usually quick.
2. The Merge loopback could definitely be a cause of slowness depending on how many policies you have.
3. I suspect this could be the main reason for the hang, particularly if you're installing specific drivers, as those installations happen one by one.
I’ve set up GPPs with hundreds of printers and their item-level targeting, and they performed well with minimal slowdown. I really think the Merge loopback processing might be the main problem here. It’s quite heavy on processing. I personally prefer requiring a computer group or OU with item-level targeting instead.
I completely agree, especially if the v3 drivers are giving issues. Ensuring the right drivers are installed ahead of time could really help.