Poor performance when calling lookup functions to resolve names
Original KB number: 818024
When calling the LookupAccountName or LsaLookupNames function to resolve isolated names (ambiguous or non-domain-qualified user accounts) to security identifiers (SIDs), you may notice an increased usage of memory and CPU on the domain controller and decreased performance.
For example, poor performance might occur when using scripts or tools (such as Cacls.exe, Xcacls.exe, icacls.exe, Dsacls.exe, and Subinacl.exe) to call the functions to edit security settings.
The problem may show up when you have many trusted domains or forests (applies to both external and forest trusts), and/or some of these domains or forests are offline or slow to respond.
When the functions are called for an isolated name (the format is AccountName in contrast to domain\AccountName), a remote procedure call (RPC) is made to domain controllers on all trusted domains/forests. This issue might occur if the primary domain has many trust relationships with other domains/forests or if it's doing many lookups at a same time. For example, a script is configured to run at the startup of many clients, or many trusted domains/forests use the same script simultaneously.
Disable the lookup of isolated names in trusted domains/forests
Note
Create this registry entry only on domain controllers.
Here's how to create a registry entry to disable the lookup of isolated names in trusted domains/forests:
Important
This article contains instructions to modify the registry. Severe issues might occur if the registry is modified incorrectly. As a precaution, back up the registry before you modify it. For more information about how to back up, restore, and modify the registry, see How to back up and restore the registry in Windows.
Open Registry Editor.
Go to
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa.On the Edit menu, select New > DWORD Value.
Type LsaLookupRestrictIsolatedNameLevel, and press Enter.
Right-click LsaLookupRestrictIsolatedNameLevel and select Modify. Type 1 in the Value data box.
Note
By default, the LsaLookupRestrictIsolatedNameLevel entry is either set to 0 or doesn't exist. That means that the lookup for isolated names in trusted domains/forests is enabled.
Select OK and close Registry Editor.
More information
The lookup functions can directly target a domain controller on an appropriate domain for the following name formats that contain an authoritative domain of a security principal:
- NetBIOSDomainName\AccountName
- DnsDomainName\AccountName
- AccountName@DnsDomainName
For more information, see Network access validation algorithms and examples for Windows.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for