Apr 13, 2005

Do we need a GC or do we not when logging in?

Since the authenticating DC queries GC for the universal group membership, so the short answer would be YES. But a complete answer is
1) if it's a single domain environment, because each DC contains all information, a GC is not needed;
2) if there is not native domain, there is not universal group, therefore GC is not needed (for log in)
3) if you log on as local users, you don't even need DC; If you log on as Domain Admins, you don't need a GC to log in domain
4) if there is cached credential, you don't have to talk to a GC

Added 09/03/02
5) When user logs in using UPN, GC will be queried to determine the domain membership
6) if the group membership is cached on a local DC, client may not need to contact a GC