There are 11 domains in total now, although there were only 5 when the
problem began! Slow users do not necessarily belong to groups outside
of their parent domain.
GPO is applied on a site basis, so should affect all users equally (or
not at all).
The question was really (and not very clear probably) are any of the
GPOs being pulled (especially for slow users) across Domains?
e.g.., users from domain X getting a (site or other) GPO from domain Y?
That is known to be a performance issue.
How large is the stack of GPOs? (GPResult can help)
Are any of the "slow users" supposed to be downloading software
updates? (That can be slow and if it isn't working would re-start
on each logon attemtp....)
If you are authorized, put a Network Monitor (netmon, Etherreal, etc.)
on the line and watch one of them logon....
Having exhausted everything I can think of, I've passed the problem
over to our MS whizkid (ok whizoldguy) in the US. If he cracks it I'll
post the fix back here!
I would seriously consider going back (if you haven't already) and
running DCDiag on (every one of) the DCs.
DNS is again the most likely cause of slowness and DCDiag should
be run periodically anyway.
