Select the product you need help with
- Internet Explorer
- Windows Phone
- More products
How to restrict the lookup of isolated names in external trusted domains by using the LsaLookupRestrictIsolatedNameLevel registry entry
Article ID: 818024 - View products that this article applies to.
Important This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/322756/ )How to back up and restore the registry in Windows
By default, in the Microsoft Windows Server 2003 family and in the Microsoft Windows 2000 Server family, when the LookupAccountName function or the LsaLookupNames function resolves isolated names to security identifiers (SIDs), a remote procedure call (RPC) is made to domain controllers on external trusted domains. (An isolated name is an ambiguous, non-domain-qualified user account.) In situations where the primary domain has many external trust relationships with other domains or where many lookups are performed at the same time, performance may decrease. You may see increased memory usage and increased CPU usage on the domain controller.
The LookupAccountName function and the LsaLookupNames function can also be called by scripts or by tools that edit security settings, where account names must be mapped to SIDs. Examples of tools that you can use to edit security settings are Cacls.exe, Xcacls.exe, Dsacls.exe, and Subinacl.exe.
This article contains information about how to edit the registry to control whether the lookup of isolated names is performed in external trusted domains in Windows Server 2003 and in Windows 2000 Server.
The lookup functions accept names that use the following formats:
The fourth name format, (Isolated) AccountName, is ambiguous. The lookup functions must systematically try to resolve the name to an SID by making an RPC to every trusted domain. For environments where many external trusts exist, this operation may require a serial enumeration of the trusted domains that involves making an RPC to a domain controller on each domain. In this scenario, performance decreases as the number of trusted domains increases.
If a script or a program tries to resolve an isolated name, performance may be slow. For example, this problem may occur if the script or the program is configured to run at logon time. The problem may also occur if the script or the program runs on many clients at the same time. In environments with many external trusted domains that use such programs, you may want to disable the lookup and resolution of isolated names to SIDs for external trusted domains.
Edit the registry to disable (or enable) the lookup of isolated names in external trusted domainsImportant If you are running Windows 2000 Server, you have to first install the hotfix that is described in the "Windows 2000 Server hotfix information" section later in this article before you can use this procedure.
To edit the registry to control whether lookup of isolated names is performed in external trusted domains, create the following registry entry:
LsaLookupRestrictIsolatedNameLevelentry is not present in the registry.
To create the
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\LsaLookupRestrictIsolatedNameLevelregistry entry and to disable or to enable the lookup of isolated names in external trusted domains, follow these steps.
Note Create this registry entry only on domain controllers.
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
Windows 2000 Server hotfix informationA supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem.
If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, submit a request to Microsoft Customer Service and Support to obtain the hotfix.
Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site:
http://support.microsoft.com/contactus/?ws=supportNote The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.
PrerequisitesThis hotfix requires Microsoft Windows 2000 Service Pack 3 (SP3).
Restart requirementYou have to restart the computer after you apply this hotfix.
Hotfix replacement informationThis hotfix does not replace any other hotfixes.
File informationThe English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.
Date Time Version Size File name -------------------------------------------------------- 25-Sep-2003 12:11 5.0.2195.6824 124,688 Adsldp.dll 25-Sep-2003 12:11 5.0.2195.6824 132,368 Adsldpc.dll 25-Sep-2003 12:11 5.0.2195.6824 63,760 Adsmsext.dll 25-Sep-2003 12:11 5.0.2195.6824 381,712 Advapi32.dll 25-Sep-2003 12:11 5.0.2195.6824 69,904 Browser.dll 25-Sep-2003 12:11 5.0.2195.6824 136,464 Dnsapi.dll 25-Sep-2003 12:11 5.0.2195.6824 96,016 Dnsrslvr.dll 25-Sep-2003 12:11 5.0.2195.6824 47,376 Eventlog.dll 25-Sep-2003 12:11 5.0.2195.6824 148,240 Kdcsvc.dll 20-Sep-2003 15:32 5.0.2195.6824 205,584 Kerberos.dll 20-Sep-2003 15:32 5.0.2195.6824 71,888 Ksecdd.sys 25-Sep-2003 08:58 5.0.2195.6826 510,224 Lsasrv.dll 25-Sep-2003 08:58 5.0.2195.6826 33,552 Lsass.exe 20-Sep-2003 15:32 5.0.2195.6824 109,840 Msv1_0.dll 25-Sep-2003 12:11 5.0.2195.6824 307,984 Netapi32.dll 25-Sep-2003 12:11 5.0.2195.6824 361,232 Netlogon.dll 25-Sep-2003 12:11 5.0.2195.6826 931,600 Ntdsa.dll 25-Sep-2003 12:11 5.0.2195.6824 392,464 Samsrv.dll 25-Sep-2003 12:11 5.0.2195.6824 113,936 Scecli.dll 25-Sep-2003 12:11 5.0.2195.6824 259,856 Scesrv.dll 25-Sep-2003 12:11 5.0.2195.6824 48,912 W32time.dll 20-Sep-2003 15:32 5.0.2195.6824 57,104 W32tm.exe 25-Sep-2003 12:11 5.0.2195.6824 126,224 Wldap32.dll
Article ID: 818024 - Last Review: April 15, 2009 - Revision: 7.0