RE: [ActiveDir] 1000 groups

[freddy_hartono]

More info on tokensz and maxtokensize regkey and its problem, as described by Dean earlier   http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Operations/3872f0d7-e4b3-49ed-9a4b-1fefbf0d4547.mspx   http://support.microsoft.com/default.aspx?scid=kb;en-us;327825     Thank you and have a splendid day!   Kind Regards,   Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED]   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Wednesday, April 13, 2005 1:39 AM To: Send - AD mailing list Subject: RE: [ActiveDir] 1000 groups   Firstly, the so-called well-known ~1000 limitation and the ~5000 limitation are entirely unrelated.    Regarding token bloat; the more accurate max. SIDs value is 1015.  This is due to 9 well-known SIDs that are always present and should, therefore, not be part of any calculation as to what we can be administratively affected. In addition, tickets handed out by 2K3 DCs always contain DL group SIDs regardless of domain mode and, as such, are always a little bigger than a corresponding ticket issued by a 2000 DC in mixed mode (this is done solely to avoid inconsistencies during transition of modes -- considered a bug by many, myself included).    In contrast, we do attempt to compress specific tokens by maintaining only the RID (not the whole SID) where applicable.  A MaxTokenSize registry value exists that simply governs the upper limit.  Increasing the value will likely cause performance concerns and, more significantly, potential application failures due to timeouts (too many SIDs to compare, call does not return and app. assumes failure).  This article eludes to the problem -   http://support.microsoft.com/kb/313661/   Real-time token size can be calculated using the following tool -   http://www.microsoft.com/downloads/details.aspx?FamilyID=4a303fa5-cf20-43fb-9483-0f0b0dae265c&displaylang=en -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Fischer Sent: Tuesday, April 12, 2005 12:45 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] 1000 groups Hi All: Can an AD user be a member of more that 1000 groups?  Someone told me that 1000 was an AD limitation.   Is that true? Thanks, --Brian         E-mail Full?  Check out our Exchange Tools!   Brian Fischer Microsoft Systems Consultant Quest Software 4320 Winfield Rd Suite 500 Warrenville, IL 60555 [EMAIL PROTECTED] tel: fax: mobile: 630-836-3160 949-754-8999 630-567-2825   Last year’s email – today’s key piece of evidence! Find it fast with Quest Recovery Manager for Exchange. Get your free Technical Brief on e-Discovery.       With Quest Software, you can expect more... more performance, more productivity, more value from your IT investments. Visit www.quest.com to learn how.