Groups have a 5000 members limit????
Markie
Member Posts: 54 ■■□□□□□□□□
Hey guys, just a query regarding the 5000 member limit for groups in Windows Server 2003.
Although, I believe that the limit was removed with Server 2003, it would still apply at the Windows 2000 mixed and Windows 2000 native domain functional levels. Correct me if I am wrong of course.
As Windows 2000 Server did have the 5000 member limit, I suppose it makes sense that domains comprising of Windows 2000 Server machines, would also be subject to such a limitation.
So, from my readings, the following would be true (but please correct me if I am wrong):
Domain Functional Level
- Windows 2000 mixed
5000 member limit for groups
- Windows 2000 native
5000 member limit for groups
- Windows Server 2003 Interim
no member limit for groups
- Windows Server 2003
no member limit for groups
To add further complexity, I believe that there is one further twist to the tale and it is respect to the use of Primary Groups.
The following statement summarises primary groups pretty well:
"The default primary group of a user is Domain Users. The primary group of a user is not stored in the members property of the group, but rather in the primaryGroupID property of the user. Consequently, the 5,000-member maximum of the Windows 2000 forest functional level doesn’t apply to primary groups, which means that you could have 100,000 users (or more) in your domain and they could all be members of Domain Users."
So, from the above statement, it seems that a primary groups (such as domain users) has no limit, regardless of the domain functional level.
Although, where I get confused is that the concept of the primary group is used only by Macintosh clients and POSIX-compliant applications.
More specifically, the following statement confuses me:
"If a POSIX-compliant application were to be deployed on a network, and if that application required the primary group for over 5,000 users to be changed, then the PrimaryGroupID attribute would no longer be used to determine the Domain Users group membership. Consequently, the Domain Users group would become subject to the same 5,000-member limitation as all the other groups, and users might lose access to some of network resources because it might become impossible to determine the correct membership of the Domain Users group. For these reasons, Active Directory domains at the Windows 2000 mixed or Windows 2000 native functional levels do not support groups with more than 5,000 members."
I mean, could you not have more than one primary group operating within a domain (e.g. the domain users group and the POSIX group)?
So, in summary, could someone please clarify what the group membership maximum is and what effect primary groups have on this limitation (if it applies).
My thanks in advance.
Mark
Although, I believe that the limit was removed with Server 2003, it would still apply at the Windows 2000 mixed and Windows 2000 native domain functional levels. Correct me if I am wrong of course.
As Windows 2000 Server did have the 5000 member limit, I suppose it makes sense that domains comprising of Windows 2000 Server machines, would also be subject to such a limitation.
So, from my readings, the following would be true (but please correct me if I am wrong):
Domain Functional Level
- Windows 2000 mixed
5000 member limit for groups
- Windows 2000 native
5000 member limit for groups
- Windows Server 2003 Interim
no member limit for groups
- Windows Server 2003
no member limit for groups
To add further complexity, I believe that there is one further twist to the tale and it is respect to the use of Primary Groups.
The following statement summarises primary groups pretty well:
"The default primary group of a user is Domain Users. The primary group of a user is not stored in the members property of the group, but rather in the primaryGroupID property of the user. Consequently, the 5,000-member maximum of the Windows 2000 forest functional level doesn’t apply to primary groups, which means that you could have 100,000 users (or more) in your domain and they could all be members of Domain Users."
So, from the above statement, it seems that a primary groups (such as domain users) has no limit, regardless of the domain functional level.
Although, where I get confused is that the concept of the primary group is used only by Macintosh clients and POSIX-compliant applications.
More specifically, the following statement confuses me:
"If a POSIX-compliant application were to be deployed on a network, and if that application required the primary group for over 5,000 users to be changed, then the PrimaryGroupID attribute would no longer be used to determine the Domain Users group membership. Consequently, the Domain Users group would become subject to the same 5,000-member limitation as all the other groups, and users might lose access to some of network resources because it might become impossible to determine the correct membership of the Domain Users group. For these reasons, Active Directory domains at the Windows 2000 mixed or Windows 2000 native functional levels do not support groups with more than 5,000 members."
I mean, could you not have more than one primary group operating within a domain (e.g. the domain users group and the POSIX group)?
So, in summary, could someone please clarify what the group membership maximum is and what effect primary groups have on this limitation (if it applies).
My thanks in advance.
Mark
The oxen is slow but the earth is patient!!!!
Comments
-
Markie Member Posts: 54 ■■□□□□□□□□Cmon guys, someone must know something about the 5000 member limit and primary groups???The oxen is slow but the earth is patient!!!!
-
royal Member Posts: 3,352 ■■■■□□□□□□You can nest groups to get around it. The issue is due to 2000 not having Linked Value Replication and the fact that the JET database can't handle write operations at the "approximation" of 5000 users. So that 5,000 users is an approximate that Microsoft came up with taking into consideration all the attributes that an AD account can have. Because Windows 2003 has Linked Value Replication, it can get around this issue since replication of 5000 users will only replicate specific attributes and not the entire AD account due to Linked Value Replication.“For success, attitude is equally as important as ability.” - Harry F. Banks
-
royal Member Posts: 3,352 ■■■■□□□□□□The thing here, is that Linked Value Replication is a 2003 FFL not a DFL feature. So I think you have to go to 2003 FFL for more than 5,000 users to be allowed into a group.
Also, another thing to keep in mind, is that when you modify a group, you replicate the entire group even if you only make an attribute change on 1 user. That's primarily the reason for the limitation. In 2003 with LVR, you make a change, and only that change is replicated hence why there is no limit.“For success, attitude is equally as important as ability.” - Harry F. Banks -
royal Member Posts: 3,352 ■■■■□□□□□□MobilOne wrote:Elan, is there anything you dont know??
I don't know why the hell Microsoft didn't allow you to create folders in System Center Virtual Machine Manager so you can organize your VMs. SCVMM RTM comes out in a few weeks I've heard so hopefully folders (advanced feature that must have taken a lot of programming effort) are in the RTM version.“For success, attitude is equally as important as ability.” - Harry F. Banks -
Markie Member Posts: 54 ■■□□□□□□□□Hey Royal, thanks for your response. You kinda confirmed what I already suspected.
How bout the primary groups but. Do you know much about their use and how they are not limited to 5000 members (even in Windows 2000 server)?The oxen is slow but the earth is patient!!!!