Article ID: 240142 - View products that this article applies to.
This article was previously published under Q240142
This article has been archived. It is offered "as is" and will no longer be updated.
A network administrator may need to prevent users from having their credentials validated by a specific domain controller for maintenance or troubleshooting purposes. This article describes how to prevent user logon validation from a single server.
To prevent a domain controller from validating users' credentials:
When you connect to shares on a BDC with a paused Net Logon service, validation is carried out locally at the BDC, not forwarded to another domain controller or the PDC. This applies only to the validation of users who are gaining direct access to resources on a BDC with a paused Net Logon service. The main objective of reducing the load on the BDC is met because the workstations and other member servers cannot set up a secure channel with the BDC. If you stop the Net Logon service instead of pausing it, the BDC does not receive updates from the PDC. In this case, a user could be denied access to a local share with a valid password after a password change has occurred.
You cannot set the Net Logon service to pause at startup. The service must run long enough to establish a secure channel with the PDC. You can automate this activity using the AT Scheduler tool to run a net pause netlogon command after the computer has started. You can also create a batch file to run the same command in a loop combined with the Sleep tool from the Windows NT 4.0 Resource Kit to set the delay between intervals.
For information about using the AT Scheduler tool, click Start, click Help, click the Index tab, type at, and then click Display.
Article ID: 240142 - Last Review: October 26, 2013 - Revision: 2.0
Contact us for more help