|
How to disable Global
Catalog server for validating user logons
If you have a remote office
connecting to the main office but you don’t domain controller in the remote
site, you may want to disable the requirement that a global catalog server
be available to validate user logons.
For Windows 2000
|
1. |
Start
Registry Editor (Regedt32.exe). |
|
2. |
Locate
and then click the following key in the registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa |
|
3. |
On the
Edit
menu, click
Add Key, and
then add the following registry key:
Key name:
IgnoreGCFailures
Note
Windows 2000
provides this key for diagnostic purposes. There is no specific value to
specify for this key. Only the presence or the absence of this key is
tested. |
|
4. |
Quit
Registry Editor. |
|
5. |
Restart
the domain controller. |
For Windows 2003
|
1. |
Start
Registry Editor (Regedit.exe). |
|
2. |
Locate
and then click the following key in the registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa |
|
3. |
On the
Edit
menu, click
New, click
DWORD Value,
and then add the following registry key:
Key name:
IgnoreGCFailures
Value: 1 |
|
4. |
Quit
Registry Editor. |
|
5. |
Restart
the domain controller. |
This setting needs to be set
on the domain controller that performs the initial authentication of the
user.
Note
1. This setting causes potential security vulnerabilities if universal
groups are also used.
2.
If this setting is enabled, universal groups should not be used because if a
user is a member of a universal group and the group is denied access to a
resource, the key turns off enumeration of universal groups so the universal
group SID is not added to the user's token and the user could have access to
the resource.
Post your questions, comments, feedbacks and suggestions
Contact a consultant
Related Topics
|
|
