How to restrict the lookup of isolated names to external trusted domains in Windows Server

Important This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows

Summary

By default, when the LookupAccountName function or the LsaLookupNames function resolves isolated names to security identifiers (SIDs) in Windows Server, a remote procedure call (RPC) is made to domain controllers on external trusted domains. (An isolated name is an ambiguous, non-domain-qualified user account.) In situations in which the primary domain has many external trust relationships with other domains or in which many lookups are performed at the same time, performance may decrease. You may see increased memory usage and increased CPU usage on the domain controller.

The LookupAccountName function and the LsaLookupNames function can also be called by scripts or tools that edit security settings. There, account names must be mapped to SIDs. Examples of tools that you can use to edit security settings are Cacls.exe, Xcacls.exe, icacls, Dsacls.exe, and Subinacl.exe. 

This article describes how to edit the registry to control whether the lookup of isolated names is performed in external trusted domains in Windows Server.

More Information

The lookup functions accept names that use the following formats:
  • NetBIOSDomainName\AccountName
  • DnsDomainName\AccountName
  • (UPN) AccountName@DnsDomainName
  • (Isolated) AccountName
For the first three name formats in the list, the lookup functions can directly target a domain controller on the appropriate domain because these name formats contain the domain that is authoritative for the security principal.

The fourth name format, (Isolated) AccountName, is ambiguous. The lookup functions must systematically try to resolve the name to an SID by making an RPC to every trusted domain. For environments where many external trusts exist, this operation may require a serial enumeration of the trusted domains that involves making an RPC to a domain controller on each domain. In this scenario, performance decreases as the number of trusted domains increases.

If a script or a program tries to resolve an isolated name, performance may be slow. For example, this problem may occur if the script or the program is configured to run at logon time. The problem may also occur if the script or the program runs on many clients at the same time. In environments with many external trusted domains that use such programs, you may want to disable the lookup and resolution of isolated names to SIDs for external trusted domains.

Edit the registry to disable (or enable) the lookup of isolated names in external trusted domains

Important If you are running Windows 2000 Server, you have to first install the hotfix that is described in the "Windows 2000 Server hotfix information" section later in this article before you can use this procedure.

To edit the registry to control whether lookup of isolated names is performed in external trusted domains, create the following registry entry:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\LsaLookupRestrictIsolatedNameLevel
  • If this entry does not exist, or if the value is set to 0, lookup for isolated names is performed across external trusted domains.
  • If this registry entry is set to 1, lookup for isolated names is not performed across external trusted domains.
By default, lookup for isolated names is performed across external trusted domains, and the LsaLookupRestrictIsolatedNameLevel entry is not present in the registry.

To create the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\LsaLookupRestrictIsolatedNameLevel registry entry and to disable or to enable the lookup of isolated names in external trusted domains, follow these steps.

Note Create this registry entry only on domain controllers.

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
  1. Click Start, and then click Run.
  2. In the Open box, type regedit, and then click OK.
  3. Locate, and then click the following registry subkey:
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
  4. On the Edit menu, point to New, and then click DWORD Value.
  5. Type LsaLookupRestrictIsolatedNameLevel, and then press ENTER.
  6. On the Edit menu, click Modify.
  7. Do one of the following, depending on your situation:
    • To disable the lookup of isolated names in external trusted domains, type 1 in the Value data box.
    • To enable the lookup of isolated names in external trusted domains, type 0 in the Value data box.
  8. Click OK, and then quit Registry Editor.

Windows 2000 Server hotfix information

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, submit a request to Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site: Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Prerequisites

This hotfix requires Microsoft Windows 2000 Service Pack 3 (SP3).

Restart requirement

You have to restart the computer after you apply this hotfix.

Hotfix replacement information

This hotfix does not replace any other hotfixes.

File information

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.
Date         Time   Version        Size     File name 
--------------------------------------------------------
25-Sep-2003 12:11 5.0.2195.6824 124,688 Adsldp.dll
25-Sep-2003 12:11 5.0.2195.6824 132,368 Adsldpc.dll
25-Sep-2003 12:11 5.0.2195.6824 63,760 Adsmsext.dll
25-Sep-2003 12:11 5.0.2195.6824 381,712 Advapi32.dll
25-Sep-2003 12:11 5.0.2195.6824 69,904 Browser.dll
25-Sep-2003 12:11 5.0.2195.6824 136,464 Dnsapi.dll
25-Sep-2003 12:11 5.0.2195.6824 96,016 Dnsrslvr.dll
25-Sep-2003 12:11 5.0.2195.6824 47,376 Eventlog.dll
25-Sep-2003 12:11 5.0.2195.6824 148,240 Kdcsvc.dll
20-Sep-2003 15:32 5.0.2195.6824 205,584 Kerberos.dll
20-Sep-2003 15:32 5.0.2195.6824 71,888 Ksecdd.sys
25-Sep-2003 08:58 5.0.2195.6826 510,224 Lsasrv.dll
25-Sep-2003 08:58 5.0.2195.6826 33,552 Lsass.exe
20-Sep-2003 15:32 5.0.2195.6824 109,840 Msv1_0.dll
25-Sep-2003 12:11 5.0.2195.6824 307,984 Netapi32.dll
25-Sep-2003 12:11 5.0.2195.6824 361,232 Netlogon.dll
25-Sep-2003 12:11 5.0.2195.6826 931,600 Ntdsa.dll
25-Sep-2003 12:11 5.0.2195.6824 392,464 Samsrv.dll
25-Sep-2003 12:11 5.0.2195.6824 113,936 Scecli.dll
25-Sep-2003 12:11 5.0.2195.6824 259,856 Scesrv.dll
25-Sep-2003 12:11 5.0.2195.6824 48,912 W32time.dll
20-Sep-2003 15:32 5.0.2195.6824 57,104 W32tm.exe
25-Sep-2003 12:11 5.0.2195.6824 126,224 Wldap32.dll
속성

문서 ID: 818024 - 마지막 검토: 2014. 1. 8. - 수정: 1

피드백