How can I let users log on to the domain when they can’t contact the Global Catalog (GC)?

When a native-mode user logs on to the domain, a GC checks Universal group memberships. If the user can’t contact a GC, the logon will fail. To let users log on even though they can’t contact the GC, perform the following steps on the servers that service the client logons:

1. Start a registry editor (e.g., regedit.exe) on each domain controller (DC).
2. Navigate to the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsa registry subkey.
3. From the Edit menu, select New, DWORD Value.
4. Enter the name IgnoreGCFailures, set the value to 1, then press Enter.
5. Close the registry editor.
6. Restart the DC.

Be aware that performing these steps can cause security problems. For example, imagine that you’re a member of the Universal group that’s denied access to a particular network resource. If your system can’t contact the GC when you log on, your user token won’t have the SID of the Universal group. In that case, you might be able to access the denied resource just as if you weren’t a member of the Universal group.

One Response to How can I let users log on to the domain when they can’t contact the Global Catalog (GC)?

  1. Don’t you find that you are both arguing the same point? I suggest you go over all of , then Google i can t logon and make you mind as arguing until Sunday probably won’t make any difference.

Leave a Reply

Your email address will not be published. Required fields are marked *