Re: Group limitations

From: Jonathan (jonsteph@nospam.carolina.rr.com)
Date: 04/08/03

  • Next message: Lane Romel: "Re: Group limitations" 
    From: Jonathan <jonsteph@nospam.carolina.rr.com>
Date: Tue, 08 Apr 2003 01:38:49 GMT

    The limitation is actually closer to 5,000, and only applies to
    Windows 2000. Group membership is stored as a multi-valued attribute
    on the group object. Attribute size is limited to a finite size due to
    the requirements of AD replication. This limitations affect on group
    membership is to limit it to about 5,000 users.

    Domain Users is a special group, in that users aren't actually a
    member of that group by default. By default, all users are members of
    the Domain Users group, and that group is set as their Primary Group.
    Windows 2000 considers a user to be a member of their primary group
    even if they are not listed in the group's Member attribute. In fact,
    if you use LDP.EXE or ADSIEDIT.MSC and look at the member attribute of
    the Domain Users group, you'll see that it is empty (in LDP, empty
    attributes aren't listed).

    If you change a user's primary group, they will be explicity added to
    the Member attribute of the Domain Users group.

    This limitation doesn't just affect group membership. It also affects
    any other multivalued attribute -- such as activated DHCP servers.

    Windows 2003 adds a feature call linked-value replication, so this
    limitation does not apply.

    There's a KB article that describes this, but I can't find it on
    support.microsoft.com right now.

     - Jonathan

    On Mon, 07 Apr 2003 21:13:34 GMT, derek / nul <abuse@sgrail.org>
    wrote:

    >I have seen 28,000 in a 'users' group on a w2k domain?
    >
    >On Mon, 7 Apr 2003 12:38:53 -0400, "Lane Romel" <!laneromel@sympatico.ca> wrote:
    >
    >>While doing a profile for a domain structure I came across a Microsoft
    >>document that claims you can only have 4000 users in a group. Is this true
    >>or is the doccument out of touch?
    >>

  • Next message: Lane Romel: "Re: Group limitations"

    Relevant Pages

    • Re: Group limitations
      ... > member of that group by default. ... > the Domain Users group, and that group is set as their Primary Group. ... > This limitation doesn't just affect group membership. ...
      (comp.os.ms-windows.nt.admin.security)
    • Re: Another stab at Cantor
      ... D1 is not a member of R. ... This is still nonsense. ... This time your *L_n lists each have a last but no first element, ... a limitation preventing some such strings from being produced. ...
      (sci.math)
    • Re: public abstract static ...
      ... why is not possible to make a member of a class BOTH ... | derived class to implement both of these methods, with this limitation I ... can only declare virtual instance methods. ...
      (microsoft.public.dotnet.languages.csharp)
    • Re: Problem with READ-ONLY permissions
      ... > that is a member of domain users group on Windows 2000 ... > be able to create new folders and modify files. ...
      (microsoft.public.win2000.security)
    • Re: From my best friend in Houston
      ... read the AAMT forums or over at MTDesk for more ... limitation on being a member to receive any of the benefit. ...
      (sci.med.transcription)