Active Directory Users & Computers slow over GlobalProtect

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Active Directory Users & Computers slow over GlobalProtect

L1 Bithead

We are experience an issue that I am curious if anyone else has encountered. When any of us IT folk are VPN'd in via GlobalProtect (tested on different internet connections, hardwired and wifi) whenever we open up MSFT Management Console Active Directories Users & Computers, it takes about 5-7 minutes to open.  I can see the traffic in our traffic logs on the Palo, nothing denied, it just takes a long time until it opens and runs painfully slow once opened. 


If anyone has encountered this before if you could point me in the right direction that would be great, I will update if I do find anything.




This is happening to users here since moving from 4.1.11 to 5.1.5

Has anyone had any luck fixing this by updating SRV or other DNS records?

I don't want to run a script to fix something that sounds like it may be resolvable by an infrastructure change.

We had this issue with several users and the workaround suggested on the article sorted the issue out.


Adding a dummy domain on the split tunnel tab worked. Note: without "no direct access to local netwok" othersie this will nullify the fix of using the domain in split tunnel.

From the admin-guide:

"Disable the No direct access to local network option (Split TunnelAccess Route). If enabled, this setting disables split tunneling on Windows, Linux, and macOS networks."


The 2nd workaround is to disable weakhost mode from the powershell with commands:

Get-WmiObject win32_networkadapter | where-object NetConnectionStatus -eq 2 | where-object ServiceName -ne PanGpd | ForEach {netsh interface ipv4 set interface $_.InterfaceIndex weakhostsend=disabled}
Get-WmiObject win32_networkadapter | where-object NetConnectionStatus -eq 2 | where-object ServiceName -ne PanGpd | ForEach {netsh interface ipv6 set interface $_.InterfaceIndex weakhostsend=disabled}


Both workarounds worked fine for all the users.


Does anyone know if this design is intended to be changed in future GP releases?

I guess this is a something for a feature request. Did someone requested one for this matter?


Thank you!

We were running GlobalProtect 5.0.x for a while and just recently upgraded the clients to 5.2.2.  And thats when this issue popped up for us.  A workaround that I found is to launch ADUC from the command line with the /server switch, "dsa.msc /server=<ip of the dc>".  When I specified the ip of the dc, ADUC was very responsive.

Hi @DougVanAllen ,


actually for us it was the other way around, upgrading to 5.2.2 fixed the issue with ADUC.



What do you mean "add a dummy domain to split tunnel" Do you add a fake domain to the include or exclude? I tried adding the real domain to include, but nothing has improved. 




Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!