JSI Tip 2485. How do I eliminate the need for a Global Catalog server to be available to validate users logons?

When a user logs onto a Windows 2000 domain, the validating domain controller must contact a Global Catalog server to determine if the user is a member of a Universal group. If the GC can not be contacted, the logon may fail.

To eliminate the need for a Global Catalog server at a site, use Regedt32 to navigate to:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa

On the Edit menu, Add Value name IgnoreGCFailures as a REG_DWORD data type. Set the data value to 1.

NOTE: Do NOT use Universal groups, as enabling IgnoreGCFailures will prevent their enumeration. If access is denied via a Universal group ACL, the user will gain access to the resource.

NOTE: There is no way, other than an administrator's care, to prevent Universal groups from being used.

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish