Community technical support mailing list was retired 2010 and replaced with a professional technical support team. For assistance please contact: Pre-sales Technical support via email to sales@march-hare.com.
Krogsgaard, Lotte wrote: > RE: The group enumration shouldn't take more than a fraction of a second > normally. It sounds like the connection to your domain controller is slow > for some reason... this will be slowing down any application that needs to > authenticate (plus NTFS access etc.) so it's well worth looking into. > > - In my environment, the add_valid_group part takes more than 30 seconds - > adding about 30-40 groups, including 'Domain Users' several times. A second for a group almost sounds network timeouts... it shouldn't be taking anything like that long. Domain Users repeating is just because you are a member of that group several times. There is some mention of a bug on NT4 where it tries every single domain controller in a forest to find each group your it doesn't sound like your using NT4 anyway so wouldn't hit that problem. > Authentication when e.g. mounting a drive on the CVS NT server is much > faster - this does in fact take a fraction of a second. I was under the > impression that this should take a comparable amount of time, if the problem > was caused by the Domain Controller? Try checking the security on a directory with some local and remote users.. that does something quite similar (get a list of SIDs and lookup their names). You could probably simulate the entire operation by adding all 40 groups to the ACL of a directory. > I don't have any other ideas - other than perhaps trying to create local > users and instruct people to use the same passwords as they do in the > Domain. Could that possibly speed up things? Possibly, however the underlying problem would still be there and could affect other things. It would also mean that sspi users couldn't login without passwords. It sounds lke you're using the slower method of group enumeration also (although you didn't post that part of the trace I'm guessing that you have either set 'run as user' or are otherwise running under a different account to the user). Reconfiguring so it uses the faster method using the impersonation token could make a difference (although if the DC communication is that bad even rendering the group SID to a name may take a while). Tony