The information in this article applies to:
IMPORTANT: This article contains information about editing the registry. Before you edit the registry, make sure you understand how to restore it if a problem occurs. For information about how to do this, view the "Restoring the Registry" Help topic in Regedit.exe or the "Restoring a Registry Key" Help topic in Regedt32.exe. SYMPTOMSAfter you run the Listacct.exe utility on a primary domain controller, you may experience CPU usage as high as 90 to 100 percent. Severe latency when opening applications and slow desktop navigation will result from the CPU bottleneck. CAUSEThese symptoms are caused by the RestrictAnonyomous value conflicting with the recent adjustment of user privileges after running Listacct.exe. When RestrictAnonymous is set to 1, it competes with the privileges set or denied by Listacct.exe within the local security authority (LSA), which results in the high CPU usage. RESOLUTION
To bring the server back to a normal state, change the following registry value:
This step can be very time consuming because control of the system is being consumed by LSASS. It is recommended that the server be restarted and these steps be run immediately after restarting. MORE INFORMATION
Domain administrators can use the Listacct.exe tool to grant or deny the
right to list domain user accounts. You can obtain the Listacct.exe tool
by calling Microsoft Technical Support. The Listacct.exe tool uses the
following syntax:
A user who is not granted the "Domain List Accounts" right does not see a list of domain users in the User Manager tool. To use the Listacct.exe tool to grant only members of the Domain Administrators and Account Operators groups permission to list user accounts, use the following command: Listacct "-gDomain Administrators" "-gAccount Operators" "-dEveryone"NOTE: The domain administrator should run this command on the primary domain controller. The Listacct.exe tool is designed for Windows NT 3.51 or 4.0. Using the Listacct.exe tool on a computer running Windows 2000 with the Active Directory directory services installed could lead to unpredictable results and is not supported by Microsoft. REFERENCESFor additional information, please see the following article(s) in the
Microsoft Knowledge Base: Q143474 Restricting Information Available to Anonymous Logon Users Q180782 How to Modify the Right to Display Users in User Manager Additional query words:
Keywords : |
Last Reviewed: February 12, 1999 © 2000 Microsoft Corporation. All rights reserved. Terms of Use. |