To improve Windows Server I suggest you ...

Unable to log in using RDP on Windows Server 2012 or 2016 when having more than about 900 local users

Hello,

I would like to report a huge bug in Windows Server 2012 and 2016. For 2012 I need to try multiple times to log in to system using RDP but for upgrading 2012 to 2016 I can't log in at all. Everything is described here:

https://social.technet.microsoft.com/Forums/systemcenter/en-US/b45761b1-3949-4c9c-9e88-7d70cef6990f/long-delay-to-log-in-please-wait-for-the-local-session-manager?forum=ws2016

Basically during RDP logging in process lsass.exe process is parsing ALL local users which takes too much time and incoming RDP session is being disconnected. As far as I can see in Windows Event log about 800-900 local users are being parsed before disconnection occurs.

During logging in process lsass.exe is using large amount of CPU but this is probably realted to checking registry:

https://social.msdn.microsoft.com/Forums/getfile/1079226

As you can see in ProcessManager from time when RDP connection was made 21% of ALL Windows events logged in Process Manager was from lsass.exe process.

There is a easy way to replicate this issue:

I can replicate this bug
1) RDP to a newly created Windows Server
2) create a batch file with the following content:
:start
net user /add user%random%_%random% /random
timeout 1
goto start
open command prompt and execute the batch file.
Wait 20 minutes
try to RDP or connect via console. It won't work.

(and as far as I know it was replicated on MS side but for now nothing is being done or decided what to do with this problem).

Solution for this issue can be just extending RDP timeout which will work just fine because lsass.exe is using more CPU only during local users traversing and after logging in it just drops.

Any ideas/suggestions? Except "just use AD" ok? This specific scenario is on system which holds shared hosting accounts and local users are being used just for keeping website separated from each other and I really don't need AD for this one.

Thanks

3 votes
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    I agree to the terms of service
    Signed in as (Sign out)

    We’ll send you updates on this idea

    WebioWebio shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

    1 comment

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      I agree to the terms of service
      Signed in as (Sign out)
      Submitting...
      • WebioWebio commented  ·   ·  Flag as inappropriate

        Solution from MS:

        We found that each iteration (happening in LogonUI ) makes a call out to LSASS.exe which performs the UserLookup and returns the SID information. This is what it is taking time.

        This kind of extensive lookup happens because of new functions introduced from Win2012 onwards.

        To turn this lookup off, please add the following registry key ( both the locations ), reboot the machine and then test and let me know the results.

        Location 1: HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System
        Location 2: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

        Key: DontDisplayLastUserName
        Type: DWORD
        Value: 1

      Feedback and Knowledge Base