That wouldn't impact mail delivery for DLs though. No tokens are involved, it is strictly LDAP lookup (or pulled from cache if the info is already there).
Definitely something to keep in mind otherwise though. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, February 06, 2006 8:44 PM To: [email protected] Subject: RE: [ActiveDir] Nesting groups No there is no limit on the nesting of groups, however, there is a limit for the amount at Kerberos token size may be. Consider that if you are a member of a group which is a member of 10 groups which is a member of two groups each. You look at your account and see that you are only a member of one group right? AD Security will see this differently - you are actually a member of 10x2+10+1 or 32 Groups. There is a finite limit to your security token size which is defined in the registry of the local workstation and server: http://support.microsoft.com/kb/280830 This can easily break other systems and will the result of truncating the remaining groups it cannot accommodate. Regards Jon -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, February 06, 2006 8:35 PM To: [email protected] Subject: RE: [ActiveDir] Nesting groups No limits that I am aware of, I swear I have tested in the past to 4 or 5 layers and seen it work. I know I definitely tested three layers as I have done that several times to mimic various environments. I would A. Make sure all groups/users in question are mail-enabled. B. Make sure that the groups truly are universal. C. Make sure that the groups are all replicating properly to the GCs that the Exchange servers are using. D. Doublecheck settings on the groups that you think are involved in users not getting mail. E. For testing, Send mail to each of the lists individually and check for recipt. Step up a level in nesting, repeat. The size of the DL is relatively small so it isn't an issue with number of users. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Rochford Sent: Monday, February 06, 2006 11:30 AM To: [email protected] Subject: [ActiveDir] Nesting groups Is there a limit to the amount of nesting which can be carried out on Universal Security Groups? We have a single domain (mix of Windows 2003 and 2000 servers) with Exchange 2003 and a number of nested groups but we've just discovered a problem - mail sent to some of the lists is not reaching all the members of the list. Some detail: Top level list: Technology_Faculty This comprises: Technology_Teaching, Technology_Support, Technology_Admin, Technology_Technicians Each of those groups is split further; eg: Technology_Teaching contains: School_Auto_Engineering, School_Building_Crafts, School_Mech_Engineering etc The schools then split eg: School_Auto_Engineering: Curriculum_Body_Paint, Curriculum_Mechanical and users are added to the lowest level groups. Email sent to the Technology_faculty group doesn't get delivered to all the people - as far as I can tell (by looking at the Exchange log) it misses completely the group called "technology_teaching" In total, there are only about 200 people across all the sub-groups. If this is "working as designed" then is there a way round it? If it's broken, then suggestions, please, for fixing it! Steve List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Visit our website at http://www.ubs.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
