Troubleshooting slow AD logins?

DanJ_LRSFC
Contributor III

Can anyone offer any suggestions on how to troubleshoot a "slow login" issue?

Specifically, we've had 3 Macs reported to us where login using Active Directory accounts is quite slow. We reproduced the issue with our test student AD account and found that it was taking around 4-5 minutes from pressing Enter on the login box to having a usable desktop with drive icons and Dock.

Our local administrator account is quicker to log in, but still slower than we might have expected it to be.

I tried running a diagnostic utility I found called EtreCheck, but it didn't really come up with anything particularly actionable.

EDIT: we only have one site, this is in relation to Macs that are on that site, and it is only happening with some Macs - other Macs are fine.

EDIT 2: our domain is a .local, and (among other things) we do use configuration profiles to apply restrictions to student users, so we do need these to be applied before the user can start using the computer.

8 REPLIES 8

easyedc
Valued Contributor II

So we had similar problems years ago, and found writing some login timeouts seemed to make a difference. check out this post. [https://www.jamf.com/jamf-nation/discussions/17736/extreme-long-login-times-for-active-directory-users-while-remote](link URL)

B-35405
Contributor

are you pointing to the closest domain controller on site? is the domain controller located in AWS land?

DanJ_LRSFC
Contributor III

@easyedc we only have one site and this is in reference to Macs on that site. It's not happening to all of them either, only some.
@B-35405 when setting up the AD binding I didn't see any options to specify which domain controller to use? but they're equally close I believe so I wouldn't have thought it mattered? all our domain controllers are on-site.

easyedc
Valued Contributor II

Regardless of the site, setting timeouts should help if you're AD bound.

defaults write /Library/Preferences/com.apple.loginwindow DSBindTimeout -int 10
defaults write /Library/Preferences/com.apple.mdmclient BypassPreLoginCheck -bool YES

ryan_ball
Valued Contributor

Is your domain a .local?

ginakung
New Contributor III

@DanJ_LRSFC We've also had slow logins with AD accounts on Mojave for quite some time now. 10.14.5 seems to improve the login times slightly. Removing security apps also improved the login times.

jared_f
Valued Contributor

I ran into a similar issue, but logins were also being bounced (even though the username/password combination was correct). It was actually a sync issue with my domain controllers that was causing it. In addition, I would double check date and time and re-bind if necessary.

My domain @ryan.ball is a .local. Not running into any issues with Macs.

I would also double check any policies scoped at login to the machines having issues. Could be something slowing it down there.

DanJ_LRSFC
Contributor III

@easyedc I googled the BypassPreLoginCheck setting, it seems like this would prevent some MDM profiles being applied before the user is able to start using the computer? This seems like it would have the potential to allow students to get around restrictions we've set up using configuration profiles.
@ryan.ball Yes, our domain is a .local.
@jared_f I've only really got one policy that is scoped to run at login (our login script, which sets up the Dock and mounts ~/Documents to the user's AD home directory), and it doesn't always seem to run in a timely fashion either - I've had to add it to Self Service so that students can re-run it if it doesn't run automatically.