More info on tokensz and maxtokensize regkey and its problem, as described by Dean earlier

 

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Operations/3872f0d7-e4b3-49ed-9a4b-1fefbf0d4547.mspx

 

http://support.microsoft.com/default.aspx?scid=kb;en-us;327825

 

 

Thank you and have a splendid day!

 

Kind Regards,

 

Freddy Hartono

Windows Administrator (ADSM/NT Security)

Spherion Technology Group, Singapore

For Agilent Technologies

E-mail: [EMAIL PROTECTED]

 


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Wednesday, April 13, 2005 1:39 AM
To: Send - AD mailing list
Subject: RE: [ActiveDir] 1000 groups

 

Firstly, the so-called well-known ~1000 limitation and the ~5000 limitation are entirely unrelated. 

 

Regarding token bloat; the more accurate max. SIDs value is 1015.  This is due to 9 well-known SIDs that are always present and should, therefore, not be part of any calculation as to what we can be administratively affected. In addition, tickets handed out by 2K3 DCs always contain DL group SIDs regardless of domain mode and, as such, are always a little bigger than a corresponding ticket issued by a 2000 DC in mixed mode (this is done solely to avoid inconsistencies during transition of modes -- considered a bug by many, myself included). 

 

In contrast, we do attempt to compress specific tokens by maintaining only the RID (not the whole SID) where applicable.  A MaxTokenSize registry value exists that simply governs the upper limit.  Increasing the value will likely cause performance concerns and, more significantly, potential application failures due to timeouts (too many SIDs to compare, call does not return and app. assumes failure).  This article eludes to the problem -

 

 

Real-time token size can be calculated using the following tool -

 

--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com

 

 


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Fischer
Sent: Tuesday, April 12, 2005 12:45 PM
To: [email protected]
Subject: [ActiveDir] 1000 groups

Hi All:

Can an AD user be a member of more that 1000 groups?  Someone told me that 1000 was an AD limitation.   Is that true?

Thanks,

--Brian

 

 

 

 

E-mail Full?  Check out our Exchange Tools!

 

Brian Fischer
Microsoft Systems Consultant

Quest Software
4320 Winfield Rd
Suite 500
Warrenville, IL 60555

[EMAIL PROTECTED]

tel:
fax:
mobile:

630-836-3160
949-754-8999
630-567-2825

 

Last year’s email – today’s key piece of evidence! Find it fast with Quest Recovery Manager for Exchange.

Get your free Technical Brief on e-Discovery.

 

 

 

With Quest Software, you can expect more... more performance, more productivity, more value from your IT investments.

Visit www.quest.com to learn how.

 

Reply via email to