How can I let users log on to the domain when they can't contact the Global Catalog (GC)?

A. When a native-mode user logs on to the domain, a GC checks Universal group memberships. If the user can't contact a GC, the logon will fail. To let users log on even though they can't contact the GC, perform the following steps on the servers that service the client logons:

  1. Start a registry editor (e.g., regedit.exe) on each domain controller (DC).
  2. Navigate to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa registry subkey.
  3. From the Edit menu, select New, DWORD Value.
  4. Enter the name IgnoreGCFailures, set the value to 1, then press Enter.
  5. Close the registry editor.
  6. Restart the DC.

Be aware that performing these steps can cause security problems. For example, imagine that you're a member of the Universal group that's denied access to a particular network resource. If your system can't contact the GC when you log on, your user token won't have the SID of the Universal group. In that case, you might be able to access the denied resource just as if you weren't a member of the Universal group.

TAGS: Windows 8
Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish