When a user logs onto a Windows 2000 domain, the validating domain controller must contact a Global Catalog server to determine if the user is a member of a Universal group. If the GC can not be contacted, the logon may fail.
To eliminate the need for a Global Catalog server at a site, use Regedt32 to navigate to:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
On the Edit menu, Add Value name IgnoreGCFailures as a REG_DWORD data type. Set the data value to 1.
NOTE: Do NOT use Universal groups, as enabling IgnoreGCFailures will prevent their enumeration. If access is denied via a Universal group ACL, the user will gain access to the resource.
NOTE: There is no way, other than an administrator's care, to prevent Universal groups from being used.