Re: Too many groups problem

From: Raymond Breen (deathmatchuk_at_hotmail.com)
Date: 06/01/05 

Date: Wed, 1 Jun 2005 14:43:39 +0100

Thanks for that response Mike, not quite what I wanted to hear, but at least
you have confirmed my own views. Unfortunately my company uses ad securty
group membership to define access to invididual directories for ongoing
project work, so if you happen to be senior manager, it is feasible that you
end up being a member of a huge amount of groups, especially with our nested
group structure.

We are looking into alternatives(namely some sort of document control) but
have not came across anything simple enough for users to utilise like a file
structure accessed as a normal network drive, but with the flexibility of
being able to the granular access control like ntfs

Cheers

Ray

"Mike Brannigan [MSFT]" <mikebran@online.microsoft.com> wrote in message
news:%239W1etpZFHA.3152@TK2MSFTNGP14.phx.gbl...
> "Raymond Breen" <deathmatchuk@hotmail.com> wrote in message
> news:O55jh8nZFHA.2520@TK2MSFTNGP09.phx.gbl...
>> Hi All,
>>
>> After rebuilding several machines to windows xp, we are experiencing
>> problems where certain users if they are members of quite a few groups
>> (750+) encounter problems running group policy and general authentication
>> issues on the domain.
>>
>> This only happens to those accounts, so i have ruled out the machines
>> themselves. As part of the process we also move the user and machine into
>> a new o/u structure. I have followed all of microsofts recommendations
>> for increasing token size, kerberos logging , group policy diagnosis all
>> without finding a solution.
>>
>> Has anyone else came across this and managed to get the issues resolved?
>
> Yes this is a known issue.
> You need to re architect to reduce the number of groups your users are a
> member of.
> 750+ groups is excessive. You need to consider why they are and continue
> to be a member of so many different groups.
> I also suspect that you may also have some nesting taking place to
> accumulate more group membership - this too should be investigated.
> If you keep on going at this rate you will encounter a situation where
> users will be unable to logon at all.
>
> --
>
> Regards,
>
> Mike
> --
> Mike Brannigan [Microsoft]
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights
>
> Please note I cannot respond to e-mailed questions, please use these
> newsgroups
>
> "Raymond Breen" <deathmatchuk@hotmail.com> wrote in message
> news:O55jh8nZFHA.2520@TK2MSFTNGP09.phx.gbl...
>> Hi All,
>>
>> After rebuilding several machines to windows xp, we are experiencing
>> problems where certain users if they are members of quite a few groups
>> (750+) encounter problems running group policy and general authentication
>> issues on the domain.
>>
>> This only happens to those accounts, so i have ruled out the machines
>> themselves. As part of the process we also move the user and machine into
>> a new o/u structure. I have followed all of microsofts recommendations
>> for increasing token size, kerberos logging , group policy diagnosis all
>> without finding a solution.
>>
>> Has anyone else came across this and managed to get the issues resolved?
>>
>
>