Re: Group limitations

From: Lane Romel (!laneromel@sympatico.ca)
Date: 04/09/03 

From: "Lane Romel" <!laneromel@sympatico.ca>
Date: Tue, 8 Apr 2003 23:49:35 -0400

Thank you for clearing that up. I was reading some white papers, but the
docs did not explain the nuances of the domain users group.

"Jonathan" <jonsteph@nospam.carolina.rr.com> wrote in message
news:lm949v45ih9norcmo2gujg8652t5rrrqb9@4ax.com...
> The limitation is actually closer to 5,000, and only applies to
> Windows 2000. Group membership is stored as a multi-valued attribute
> on the group object. Attribute size is limited to a finite size due to
> the requirements of AD replication. This limitations affect on group
> membership is to limit it to about 5,000 users.
>
> Domain Users is a special group, in that users aren't actually a
> member of that group by default. By default, all users are members of
> the Domain Users group, and that group is set as their Primary Group.
> Windows 2000 considers a user to be a member of their primary group
> even if they are not listed in the group's Member attribute. In fact,
> if you use LDP.EXE or ADSIEDIT.MSC and look at the member attribute of
> the Domain Users group, you'll see that it is empty (in LDP, empty
> attributes aren't listed).
>
> If you change a user's primary group, they will be explicity added to
> the Member attribute of the Domain Users group.
>
> This limitation doesn't just affect group membership. It also affects
> any other multivalued attribute -- such as activated DHCP servers.
>
> Windows 2003 adds a feature call linked-value replication, so this
> limitation does not apply.
>
> There's a KB article that describes this, but I can't find it on
> support.microsoft.com right now.
>
> - Jonathan
>
> On Mon, 07 Apr 2003 21:13:34 GMT, derek / nul <abuse@sgrail.org>
> wrote:
>
> >I have seen 28,000 in a 'users' group on a w2k domain?
> >
> >On Mon, 7 Apr 2003 12:38:53 -0400, "Lane Romel" <!laneromel@sympatico.ca>
wrote:
> >
> >>While doing a profile for a domain structure I came across a Microsoft
> >>document that claims you can only have 4000 users in a group. Is this
true
> >>or is the doccument out of touch?
> >>
>

Relevant Pages

  • RE: migrate primary group setting??
    ... Active Directory Migration Tool uses to migrate users from a different ... the Active Directory Migration Tool does not migrate the ... If the user that you migrade is a member of a global group, ... Domain Users group. ...
    (microsoft.public.windows.server.migration)
  • Re: Group limitations
    ... the Domain Users group, and that group is set as their Primary Group. ... Windows 2000 considers a user to be a member of their primary group ... This limitation doesn't just affect group membership. ...
    (comp.os.ms-windows.nt.admin.security)
  • Re: Windows Server 2003 Auto connect printers;
    ... The Domain Users group is a member of the build in Users, ... Yes the TS is a member server, Authenticated Users is added to the local ...
    (microsoft.public.win2000.termserv.apps)
  • 550 5.7.1 Client does not have permission to send as this sender
    ... When a user (member of Domain Users group) is trying to send a message from ... the error "550 5.7.1 Client does not have permission to send as this ... SMTP message is accepted and delivered without problems. ...
    (microsoft.public.exchange.admin)
  • Re: Can Anyone Tell Me Why?
    ... > on MSDN to perform this simple second query and if fails on trying to ... >> member by virtue of the value in the primaryGroupID of the users. ... >> Issue a second query for all users with a primaryGroupID set to point to ... >> domain users group, and you'll probably find the rest. ...
    (microsoft.public.windows.server.active_directory)