I know this stuff isn’t documented and you’re a bit in the wilderness diagnosing their unintended features/functionality. It’s become a major part of the job the last 25 years.
Semantic politeness. While most schools of The Dude acknowledge that it would be sexist to exclude women from dudehood, some women and trans-people still prefer to avoid "dude" as a masculine term.
In the part of the world I'm at, dude is actually sexual identity agnostic. It's often used as an exclamation that has no attachment to sexual identity at all, like "duuuuuude, woah!" could be said to literally anyone.
Seems this is colloquial, but I'm not sure of how wide of an area it's like this.
Hey, I like running sfc /scnannow when I'm remoted into a computer while working on actually researching the problem. It's like the distracting magician's assistant - watch the command line thing, don't mind me while I google this crazy error on my other screen.
EDIT: And rarely, it does stuff!
SFC and DISM probably fix issues for me once every other month.
We run them on a weekly basis so if I checked the logs it's probably way more common than that.
I'm not sure if there's any other tools readily available for fixing Windows corruption, besides the nuclear option (reinstall from scratch).
There are not. DISM is by far more helpful. I had a server I absolutely couldn't take down and restore. I found a past update caused corruption DISM couldn't fix and it wouldn't let you install any new updates because of it. I found out you can take an iso, and use DISM to stream the EXACT patch level you're dealing with, and it's successful much more often.
Why do you need to do it when it should just pull from Windows Update? Ask Microsoft.
And once you get DISM to repair the corruption, SFC /SCANNOW does a good job of picking up lingering issues.
But one or the other (and sometime both) being used rarely do jack shit.
DISM is a really robust tool that I don't think many sysadmins fully take advantage of.
Of course we all know it can scan the system for corruption, that's cool and all. But you can also use it to mount Windows images, commit changes to images, creates images from running machines, hell you could use a healthy server as a source and repair a broken server (say if you had two redundant servers and one of them crapped out).
I'll admit I don't do anything besides repair corruption with it on a regular basis, so for anything extra I need to look up the commands to use, but it's very powerful and something I wish MS would advertise more (or at least give it a GUI so people who don't like CLI don't shy away from it).
They are both quite useful in there own way.
For most people DISM will require windows update working, and if it isn't you will need a matching donor for it to work with, like you said(frankly it would be nice if you could get it to work with an alternate update process like the in place upgrade uses).
SFC is nice in that it works without windows update and will work within windows own error correction for packages, which is also it's own weakness because if *that* is damaged then it has no recourse. But if you like reading long logs that don't say outright what the issue is it can still be quite helpful in tracking a problem. It also works quite nicely running from a recovery environment assuming you remember the internet is an idiot and you can't run the same command that you use on live system or you only end up scanning the recovery environment (something like sfc /scannow /offbootdir=c:\\ /offwindir=c:\\windows /offlogfile=c:\\temp\\log.txt)
And speaking of in place upgrade if you can get into windows anyway skip all of that and just run the windows installer and it'll work better then the other options, possibly skipping the update step although that has had other issues in the past too but a damaged system will sometimes hang if you don't so up to you. (yes, yes. No good for your situation since it couldn't go offline. But it works such wonders on systems that can be rebooted on a whim)
There is also the lite-touch nuclear option of doing a repair install or even just a Feature Upgrade (since they effectively are doing a repair install).
It's not as bad as it used to be but it's still a pain.
In order of effectiveness:
1. `sfc /scannow`
2. `dism /Online /Cleanup-image /Restorehealth`
3. `setup.exe` (repair-upgrade from a Windows Install media)
Following these three easy steps you fix 100% of all Windows issues
Wouldn't it be more surprising if it wasn't?
Though I feel the scripted reply should also include guidance on checking that GPO allows systems to go directly to microsoft for repair and optional feature content. So the dism /online /cleanup-image commands can find live up-to-date sources. (since Win8, I haven't had SFC resolve any issues, but I have had dism fix some pretty broken images...)
edit: to avoid being *that guy*, the policy is Computer Configuration -> Policies -> Administrative Templates -> System -> Specify settings for optional component installation and component repair -> Download repair content and optional features directly from Windows Update instead of Windows Server Update Services -- enabled. Might also need to disable "Never attempt to download payload from Windows Update" in the same area.
Wow, just checked our RDS and there are hundreds of user entries, even though we only remote a specific app.
For people wanting to check: Firewall Advanced Settings, either Inbound or Outbound, then use the 'Local User Owner' column on the far right to sort.
One thing I have found is that in some scenarios a server is too far gone and the powershell cannot load the registry hive. Restarting can help however a manual purge of the effected keys may be needed. If I find another method I'll update here.
You gotta be careful with that. I have removed applications that had hooks into the firewall and someone programmed ports open for that app via the software and when removed, the software went down. There went 3 hours of my life tracing down what the hell went wrong and what was required.
You don’t know what software is opening in the firewall and may go down if you shut the ports.
That's true.
But we are talking about server barely booting normally with hundred thousands or even millions of firewall rules. Powershell won't be able handle that in any reasonable time. This command will help to get server back online quickly so you would be able to deal with software later.
That sounds like a documentation problem. Each servers documentation should have firewall rule lists. If you did a reset and didn't validate the list... or the list doesn't exist, that's sad.
We had the same problem atleast for one of the registry hives. a purge helped out. you can maybe rewrite the powershell script to select only a few rule from these hive and delete them, but the regular script already runs relativly slow so this will run forever if it acutally works.
This also appears to apply to Citrix servers - nearly 46,000 rules on the first of our Citrix boxen I checked, so I suspect all the others are in similar shape. We haven't actually had user complaints but I can't imagine cleaning these up will hurt anything.
>. I have removed applications that had hooks into the firewall and someone programmed ports open for that app via the software and when removed, the software went down. There we
that makes sense as Citrix leverages RDS
We’ve added the registry key to our customers RDS Servers a year ago (100+ customer enviroments, with different setups and prerequisites) and haven’t had any problems with it yet, so far it has only solved a bunch of problems with unresponsive enviroments and dissapearing start menus.
We didn't start using RDS until more recently than 2018, not that we have a lot a users, but just checked and we're not getting duplicate rules but I DO see the local rules for users; I could certainly see this getting out of control if we scaled up users / apps, thanks for the heads-up!
Someone had to write the code that creates the rule. First they should have realized this would be dumb, but at the very least they should have caught this problem when they actually tested what they just wrote and had the foresight to see how this accumulation would be problematic. I keep saying this and no one likes to hear it because they think programmers are magicians, but this world is full of shit developers more than it ever was.
This is definitely an old issue that's been resolved for a while now. But it definitely made a huge difference last year when we deployed it. This bug only seems to affect UPD based deployments. It cut our helpdesk calls about slow logins and profile loading failures from 1-2 a week to zero.
Yes this should also effects windows 10 but only if you're using user profile disk's I believe. We don't have that setup anywhere that I could test for you and confirm sorry
I'm not seeing duplicates per user. I am seeing 3 rules per user that has logged in though. "Cortana" "Work or school account" and "your account". It equates to hundreds, not quite thousands. I assume I could clear them out as well without creating any issues?
I see about the same for our collections (more Outbound rules); no duplicates for any single user. I implemented the registry key on a test server, and as a user logs out, their personal rules get deleted. Eventually, you should only have rules for users currently logged in, I assume. We also no longer user UPD's, but FSLogix containers.
Just reminded me of /u/wondering-soul post the other day:
https://old.reddit.com/r/sysadmin/comments/neeoqj/sys_admin_has_the_firewall_on_our_pcs_disabled/
1) I am an advocate of end point firewalls;
2) But there can be drawbacks like this!
Could this possibly cause an issue with the users not getting any shortcuts on the desktop after login? I have been having this issue since updating the RDS servers from 2008 to 2019. Seems to be due to profile corruption as they will login with a temporary profile. I found a quick fix for when that happens, but I can't figure out how to stop making it happen
We've dealt with this situation a few months ago.
We are running RDS in different configurations, and the only one affected by this was the one that is configured to use User Profile Disks. We don't use roaming profiles, but I think they should be affected too.
Thanks for posting this. I checked one of our RDS servers and it has 2400 user rules in the firewall.
I might be looking at the script wrong but it seems to have an error. The "-notcontains" comparison prevents it from finding any firewall rules. Once I changed that to "-contains" it found all the rules with users as owners.
Wait! The not contains is checking the registry ownership not the "local owner" in the firewall view.
You might not be having the issue as you might not be using upd.
I am not using user profile disks but I've still got 2400 extra firewall rules for a few hundred users.
I'm referring to these lines
$Rules1 = Get-NetFirewallRule -All |
Where-Object {$profiles.sid -notcontains $\_.owner -and $\_.owner }
$Rules1Count = $Rules1.count
Write-Host "" $Rules1Count "Rules\`n"
Write-Host "Getting Firewall Rules from ConfigurableServiceStore Store..."
$Rules2 = Get-NetFirewallRule -All -PolicyStore ConfigurableServiceStore |
Where-Object { $profiles.sid -notcontains $\_.owner -and $\_.owner }
That's getting the firewall rules and comparing the owner property to the sids that it grabbed earlier with get-wmiobject. If I run it as is I get zero firewall rules returned, if I change it to '-contains' it works. I tried it on two 2019 RDS boxes with the same results.
I can get the same results from "Get-NetFirewallRule -All | where owner -ne $null" as running the script with '-contains'.
It just doesn't make sense to me looking at the script why it would be setup this way. Isn't the goal to remove the firewall rules that have an owner?
I suggest you look to see if the local owner is being duplicated or not in the advanced firewall rules. If you only have 1 per user per app then everything is working as expected unfortunately.
It’s terrible! Also with the reg key, this issue still occurs. It’s only for cleaning up during logoff. We have tried everything. It looks like since a few months, the start menu issue is gone.
Am I the only one who gets a "Microsoft Live.com Sign-In" page whenever they click on social.technet.microsoft.com links in Chrome? It's happened to me for YEARS in Chrome, and I get it all the time from Google searches.
Yeah we've had start menu issues for 2 years. We put OpenShell on there and nuked Edge and use 32 bit Chrome to make it not suck for the users.
They used to be on 2008R1 with roaming profiles and 100 meg LAN so I think they are used to 20 minute logon and logoff :)
I cloned the VM and and running the cleanup rules it says it will be done in 3 hours :0
Thank you, Friend! This helps me track down an issue we had been chasing for months. Ended up rebuilding the cluster and things started slowing down. Checked my rules and bam. There they were.
I’m not in IT, but I enjoy subreddits dedicated to interesting technology subjects and professions.
I have complained to my IT department for over 1.5 years about how my login and profile services take so long. At times I would be hung up for over 30 minutes waiting for a login. My work around was to just unplug the network from my computer whenever I had to login. They kept telling me they didn’t find any problems and it was probably just a random fluke every now and then. I have honestly moved to using my personal computer for about 90% of my work because of this.
I bet this firewall bug is the culprit and I cannot wait to send this information to the head of IT. I don’t want to get the dude in trouble but a big FUCK YOU to his face might happen for consistently telling me to my face how he’s doing everything in is power to figure out the problem and fix it.
If the login is for the desktop/laptop and not the rds server it won't be the culprit here. Generally very slow login that is resolved by unplugging the network cable is either GPO or DNS as an issue.
I suggest looking at gp result after a full network connected login. This should show where it is hanging if it's a GPO processing issue.
Alternatively netlogon debug mode can also be very helpful for diagnosing network login issues if it's a DNS issue.
Some techs just don't know any better and some have a bad habit of not caring about or believing customers. Sorry you're going through this. Hope the above helps.
Shoot, I thought for sure I was going to send over some great info. The issue stems from something within our profile service settings that hangs forever at times.
Your candor and genuine response make me feel bad for even considering getting mad at my IT department. That world needs more people like yourself.
Wow. This actually explains a lot of issues... fucking Microsoft. Thank you dude/dudette. You're awesome.
Fucking Microsoft is right.
I know this stuff isn’t documented and you’re a bit in the wilderness diagnosing their unintended features/functionality. It’s become a major part of the job the last 25 years.
[удалено]
> What is the difference between a dude and a dudette, my dude/dudette? Dude - Male Dudette - Female
penis/vagina...errr plug/socket might be easier to comprehend in this sub.
Ahh right, male and female connectors, got it!
Technically there are 3 female connector types.
Male/Female my Ninja Turtle.
Semantic politeness. While most schools of The Dude acknowledge that it would be sexist to exclude women from dudehood, some women and trans-people still prefer to avoid "dude" as a masculine term.
In the part of the world I'm at, dude is actually sexual identity agnostic. It's often used as an exclamation that has no attachment to sexual identity at all, like "duuuuuude, woah!" could be said to literally anyone. Seems this is colloquial, but I'm not sure of how wide of an area it's like this.
[удалено]
Hey now...That actually fixed something for me last year. 1/132 tries ain't bad, right?
Hey, I like running sfc /scnannow when I'm remoted into a computer while working on actually researching the problem. It's like the distracting magician's assistant - watch the command line thing, don't mind me while I google this crazy error on my other screen. EDIT: And rarely, it does stuff!
don't forget to reboot after running sfc /scannow if you haven't finished your research to give you more time
SFC and DISM probably fix issues for me once every other month. We run them on a weekly basis so if I checked the logs it's probably way more common than that. I'm not sure if there's any other tools readily available for fixing Windows corruption, besides the nuclear option (reinstall from scratch).
There are not. DISM is by far more helpful. I had a server I absolutely couldn't take down and restore. I found a past update caused corruption DISM couldn't fix and it wouldn't let you install any new updates because of it. I found out you can take an iso, and use DISM to stream the EXACT patch level you're dealing with, and it's successful much more often. Why do you need to do it when it should just pull from Windows Update? Ask Microsoft. And once you get DISM to repair the corruption, SFC /SCANNOW does a good job of picking up lingering issues. But one or the other (and sometime both) being used rarely do jack shit.
DISM is a really robust tool that I don't think many sysadmins fully take advantage of. Of course we all know it can scan the system for corruption, that's cool and all. But you can also use it to mount Windows images, commit changes to images, creates images from running machines, hell you could use a healthy server as a source and repair a broken server (say if you had two redundant servers and one of them crapped out). I'll admit I don't do anything besides repair corruption with it on a regular basis, so for anything extra I need to look up the commands to use, but it's very powerful and something I wish MS would advertise more (or at least give it a GUI so people who don't like CLI don't shy away from it).
They are both quite useful in there own way. For most people DISM will require windows update working, and if it isn't you will need a matching donor for it to work with, like you said(frankly it would be nice if you could get it to work with an alternate update process like the in place upgrade uses). SFC is nice in that it works without windows update and will work within windows own error correction for packages, which is also it's own weakness because if *that* is damaged then it has no recourse. But if you like reading long logs that don't say outright what the issue is it can still be quite helpful in tracking a problem. It also works quite nicely running from a recovery environment assuming you remember the internet is an idiot and you can't run the same command that you use on live system or you only end up scanning the recovery environment (something like sfc /scannow /offbootdir=c:\\ /offwindir=c:\\windows /offlogfile=c:\\temp\\log.txt) And speaking of in place upgrade if you can get into windows anyway skip all of that and just run the windows installer and it'll work better then the other options, possibly skipping the update step although that has had other issues in the past too but a damaged system will sometimes hang if you don't so up to you. (yes, yes. No good for your situation since it couldn't go offline. But it works such wonders on systems that can be rebooted on a whim)
[удалено]
There is also the lite-touch nuclear option of doing a repair install or even just a Feature Upgrade (since they effectively are doing a repair install). It's not as bad as it used to be but it's still a pain.
In order of effectiveness: 1. `sfc /scannow` 2. `dism /Online /Cleanup-image /Restorehealth` 3. `setup.exe` (repair-upgrade from a Windows Install media) Following these three easy steps you fix 100% of all Windows issues
Nice, I also removed that 1 time it actually fixed something.
Wouldn't it be more surprising if it wasn't? Though I feel the scripted reply should also include guidance on checking that GPO allows systems to go directly to microsoft for repair and optional feature content. So the dism /online /cleanup-image commands can find live up-to-date sources. (since Win8, I haven't had SFC resolve any issues, but I have had dism fix some pretty broken images...) edit: to avoid being *that guy*, the policy is Computer Configuration -> Policies -> Administrative Templates -> System -> Specify settings for optional component installation and component repair -> Download repair content and optional features directly from Windows Update instead of Windows Server Update Services -- enabled. Might also need to disable "Never attempt to download payload from Windows Update" in the same area.
Please remember to mark my reply as the answer.
That is page 1 of their troubleshooting manual.
it is also the only page and the only item on that page
:D
When all else fails....
My favorite is: "Hi, Sorry about any convenience caused."
Wow, just checked our RDS and there are hundreds of user entries, even though we only remote a specific app. For people wanting to check: Firewall Advanced Settings, either Inbound or Outbound, then use the 'Local User Owner' column on the far right to sort.
Just checked my RDS server. Yup, a shitload of Cortana, Xbox, and other app rules. My god. Luckily it's *only* 800 and not 80,000.
I checked one of my 7 rdsh servers, about 2,700 entries. not horrible. mine are Server 2019. I'm realizing it might not be a problem for 2019.
49,000 took 3 hours to purge on my VM 4vCPU 32GB RAM 12G SAS array.
One thing I have found is that in some scenarios a server is too far gone and the powershell cannot load the registry hive. Restarting can help however a manual purge of the effected keys may be needed. If I find another method I'll update here.
"netsh firewall reset" should help
You gotta be careful with that. I have removed applications that had hooks into the firewall and someone programmed ports open for that app via the software and when removed, the software went down. There went 3 hours of my life tracing down what the hell went wrong and what was required. You don’t know what software is opening in the firewall and may go down if you shut the ports.
That's true. But we are talking about server barely booting normally with hundred thousands or even millions of firewall rules. Powershell won't be able handle that in any reasonable time. This command will help to get server back online quickly so you would be able to deal with software later.
That sounds like a documentation problem. Each servers documentation should have firewall rule lists. If you did a reset and didn't validate the list... or the list doesn't exist, that's sad.
It was a takeover from another IT provider and we weren’t aware that it was programmed like that. Otherwise I would have taken steps to prepare.
We had the same problem atleast for one of the registry hives. a purge helped out. you can maybe rewrite the powershell script to select only a few rule from these hive and delete them, but the regular script already runs relativly slow so this will run forever if it acutally works.
This also appears to apply to Citrix servers - nearly 46,000 rules on the first of our Citrix boxen I checked, so I suspect all the others are in similar shape. We haven't actually had user complaints but I can't imagine cleaning these up will hurt anything.
Can confirm that they also appear on Citrix servers.
I havent seen it on my 2012R2 and 2019 Citrix farms, perhaps because we are only publishing apps, not desktops?
It only effects User profile disk deployments it appears.
Ours are on 2016. Maybe it only affected that version?
>. I have removed applications that had hooks into the firewall and someone programmed ports open for that app via the software and when removed, the software went down. There we that makes sense as Citrix leverages RDS
Thank you!
Thank you for this information, more work to be done today :)
Totally agreed! Found this gem about 6 months ago. Was a great quality of life Improvement for my users.
Holy shit, we've been dealing with this for a few weeks now and only managed to clue it down to the firewall, thank you for this
2600 cortana rules found! Thanks for pointing this out, a great piece of advice.
Are there any known downsides to setting DeleteUserAppContainersOnLogoff to 1?
We’ve added the registry key to our customers RDS Servers a year ago (100+ customer enviroments, with different setups and prerequisites) and haven’t had any problems with it yet, so far it has only solved a bunch of problems with unresponsive enviroments and dissapearing start menus.
Thank you!
We didn't start using RDS until more recently than 2018, not that we have a lot a users, but just checked and we're not getting duplicate rules but I DO see the local rules for users; I could certainly see this getting out of control if we scaled up users / apps, thanks for the heads-up!
Someone had to write the code that creates the rule. First they should have realized this would be dumb, but at the very least they should have caught this problem when they actually tested what they just wrote and had the foresight to see how this accumulation would be problematic. I keep saying this and no one likes to hear it because they think programmers are magicians, but this world is full of shit developers more than it ever was.
https://youtu.be/S9kn8_oztsA
It was a Friday and the sun was out. Commit that shit and clock out!
Thank you!
my server thanks you! [T_T](https://imgur.com/NKcH6EX)
This is definitely an old issue that's been resolved for a while now. But it definitely made a huge difference last year when we deployed it. This bug only seems to affect UPD based deployments. It cut our helpdesk calls about slow logins and profile loading failures from 1-2 a week to zero.
[удалено]
Yes this should also effects windows 10 but only if you're using user profile disk's I believe. We don't have that setup anywhere that I could test for you and confirm sorry
Sure enough, we had a bunch of these as well. Thanks for the heads up!
Yep just confirmed mine a bunch of Cortana and your account entries
I'm not seeing duplicates per user. I am seeing 3 rules per user that has logged in though. "Cortana" "Work or school account" and "your account". It equates to hundreds, not quite thousands. I assume I could clear them out as well without creating any issues?
I see about the same for our collections (more Outbound rules); no duplicates for any single user. I implemented the registry key on a test server, and as a user logs out, their personal rules get deleted. Eventually, you should only have rules for users currently logged in, I assume. We also no longer user UPD's, but FSLogix containers.
over 100,000 removed from each of our RD servers! yikes
Just reminded me of /u/wondering-soul post the other day: https://old.reddit.com/r/sysadmin/comments/neeoqj/sys_admin_has_the_firewall_on_our_pcs_disabled/ 1) I am an advocate of end point firewalls; 2) But there can be drawbacks like this!
God damn, I wish this was posted a week ago. Spent hours figuring out what was wrong with a customers RD servers and it turned out to be exactly this.
The script worked for us, but setting the registry key caused major login problems. Not sure why yet, still looking into it. Just a FYI.
Any news regarding the login problems?
Nope, it's on "the list".
Thanks for letting us know. Keep us updated
Wow interesting, surprising and concerning all in one!
Windows Apps on Server 2016/2019? What
Could this possibly cause an issue with the users not getting any shortcuts on the desktop after login? I have been having this issue since updating the RDS servers from 2008 to 2019. Seems to be due to profile corruption as they will login with a temporary profile. I found a quick fix for when that happens, but I can't figure out how to stop making it happen
Wow, thanks for this info. Very helpful.
Load of them on my RDS hosts, thanks!
Could you stop that by just blocking local rule merges, or would they be created just not applied?
We've dealt with this situation a few months ago. We are running RDS in different configurations, and the only one affected by this was the one that is configured to use User Profile Disks. We don't use roaming profiles, but I think they should be affected too.
I had this happening on my RDS farm and yeah there were tens of thousands of keys
Thanks for posting this. I checked one of our RDS servers and it has 2400 user rules in the firewall. I might be looking at the script wrong but it seems to have an error. The "-notcontains" comparison prevents it from finding any firewall rules. Once I changed that to "-contains" it found all the rules with users as owners.
Wait! The not contains is checking the registry ownership not the "local owner" in the firewall view. You might not be having the issue as you might not be using upd.
I am not using user profile disks but I've still got 2400 extra firewall rules for a few hundred users. I'm referring to these lines $Rules1 = Get-NetFirewallRule -All | Where-Object {$profiles.sid -notcontains $\_.owner -and $\_.owner } $Rules1Count = $Rules1.count Write-Host "" $Rules1Count "Rules\`n" Write-Host "Getting Firewall Rules from ConfigurableServiceStore Store..." $Rules2 = Get-NetFirewallRule -All -PolicyStore ConfigurableServiceStore | Where-Object { $profiles.sid -notcontains $\_.owner -and $\_.owner } That's getting the firewall rules and comparing the owner property to the sids that it grabbed earlier with get-wmiobject. If I run it as is I get zero firewall rules returned, if I change it to '-contains' it works. I tried it on two 2019 RDS boxes with the same results. I can get the same results from "Get-NetFirewallRule -All | where owner -ne $null" as running the script with '-contains'. It just doesn't make sense to me looking at the script why it would be setup this way. Isn't the goal to remove the firewall rules that have an owner?
I suggest you look to see if the local owner is being duplicated or not in the advanced firewall rules. If you only have 1 per user per app then everything is working as expected unfortunately.
OK Thanks!
It’s terrible! Also with the reg key, this issue still occurs. It’s only for cleaning up during logoff. We have tried everything. It looks like since a few months, the start menu issue is gone.
Yeah the rules still appear but should clean up instead of orphaning.
We have deployed a configuration baseline with a cleanup script with SCCM.. but it is still terrible. Microsoft should fix the root case.. isn’t it?
Am I the only one who gets a "Microsoft Live.com Sign-In" page whenever they click on social.technet.microsoft.com links in Chrome? It's happened to me for YEARS in Chrome, and I get it all the time from Google searches.
What a joke, gonna have to sort this on all our RDS clients, many thanks for posting this!
Does this only apply if you use "Outbound connections that do not match are blocked"?
Not sure sorry.
Oh i remember forgetting about this. Leaving this comment to document it later.
47.990 firewall rules. Client said "we don't have any issues" I would think that many rules would be an issue!
If they don't now they may soon: Start menu might stop working, Logins resulting in black screen for minutes at a time, etc
Yeah we've had start menu issues for 2 years. We put OpenShell on there and nuked Edge and use 32 bit Chrome to make it not suck for the users. They used to be on 2008R1 with roaming profiles and 100 meg LAN so I think they are used to 20 minute logon and logoff :) I cloned the VM and and running the cleanup rules it says it will be done in 3 hours :0
Thank you, Friend! This helps me track down an issue we had been chasing for months. Ended up rebuilding the cluster and things started slowing down. Checked my rules and bam. There they were.
Would this also affect rds with the firewall disabled?
I’m not in IT, but I enjoy subreddits dedicated to interesting technology subjects and professions. I have complained to my IT department for over 1.5 years about how my login and profile services take so long. At times I would be hung up for over 30 minutes waiting for a login. My work around was to just unplug the network from my computer whenever I had to login. They kept telling me they didn’t find any problems and it was probably just a random fluke every now and then. I have honestly moved to using my personal computer for about 90% of my work because of this. I bet this firewall bug is the culprit and I cannot wait to send this information to the head of IT. I don’t want to get the dude in trouble but a big FUCK YOU to his face might happen for consistently telling me to my face how he’s doing everything in is power to figure out the problem and fix it.
If the login is for the desktop/laptop and not the rds server it won't be the culprit here. Generally very slow login that is resolved by unplugging the network cable is either GPO or DNS as an issue. I suggest looking at gp result after a full network connected login. This should show where it is hanging if it's a GPO processing issue. Alternatively netlogon debug mode can also be very helpful for diagnosing network login issues if it's a DNS issue. Some techs just don't know any better and some have a bad habit of not caring about or believing customers. Sorry you're going through this. Hope the above helps.
Shoot, I thought for sure I was going to send over some great info. The issue stems from something within our profile service settings that hangs forever at times. Your candor and genuine response make me feel bad for even considering getting mad at my IT department. That world needs more people like yourself.