Vithal said:
Is there a limitation to the number of users that can be
added to Global Group.
Is there a limitation to the number of Global Groups a
User can be part of?
Hi
With Kerberos authentication and AD security groups, there are limitations on
how many groups a user can be part of, that is for sure...
With Kerberos authentication
and a default configuration (pre SP4): Approx. 75 security groups
and with SP4 or hotfix 327825 (for pre SP4) installed on your domain
controllers: Approx. 500 security groups
If you use Kerberos authentication (and not NTLM), there are some severe
limitations with a default install. We started using AD last year, and met the
limit at approx. 75 groups (based on Microsoft Knowledge Base articles, it
should have been 120 ;-).
What happens is that your Kerberos token gets full. The Kerberos token that is
generated during authentication attempts has a fixed maximum size, and each
security group you are member of needs some space in this token for its SID.
The affect of this full token was errors during logon script (VBScript) and
GPOs that did get applied, and you was not able to add a computer to the
domain either with your user authentication.
We could not live with a limit of 75 security groups a user could belong to,
so we started to do some research. A workaround we found after a Google
newsgroup search was to create a registry value on each computer, both servers
and workstations that made this fixed size larger. The value is MaxTokenSize
under HKLM\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters\.
From "Group Policy May Not Be Applied to Users Belonging to Many Groups" at
http://support.microsoft.com/default.aspx?scid=KB;EN-US;263693
"A registry parameter is available after you apply this hotfix that you can
use to increase the Kerberos token size. For example, increasing the token
size to 100 KB allows a user to be present in more than 900 groups. Because
of the associated SID information, this number may vary."
and
"Microsoft recommends that you set this value to 100000 decimal"
We contacted our Technical Account Manager in Microsoft about this, and he did
some research. He came back and said that we should not set this number as
high as 100000, you might get problems with SQL and Exchange servers then.
He said 48000 was a recommended number. This gave us approx. max 500 groups
pr. user, and that we could live with. But of course, we didn't look forward
to handle this registry "hack" everywhere, even if we could do it with a GPO.
You still needed to add in "manually" in registry on a non-member computer
before you could add it to the domain if the user doing it was member of more
than 75 groups.
But then THIS hotfix came along (it is implemented in SP4
New Resolution for Problems That Occur When Users Belong to Many Groups
http://support.microsoft.com/default.aspx?scid=kb;en-us;327825
"The existing resolution that is described in these articles instructs you to
modify the MaxTokenSize registry value. An improvement has been made to this
resolution. If you use the hotfix that is described in this article, you
may not have to edit the default MaxTokenSize value."
You need to apply this hotfix to all of the domain controllers.
After it was installed on all the DCs, I deleted the MaxTokenSize value in
registry on my local computer and started to test out the limit. I could be
member of approx. 520 groups before the problems aroused...
