Stuart, Thanks for the clarification. Much appreciated!
Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of Stuart Kwan > Sent: Wednesday, December 04, 2002 10:43 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] which W2K groups does the 5000 limit > apply to? > > > In Windows 2000, Microsoft recommends that you place no more > than 5000 direct members in *any* kind of group in Active > Directory (be it universal, global, local, security-enabled, > or mail-enabled). This is a recommendation, not an enforced > restriction, based on testing of Active Directory on what was > deemed "typical" hardware at the time of the release of Windows 2000. > > The recommendation stems from the fact that changes to a > group with a large membership list (the list being stored and > replicated as a single > unit) can lead to long-running transactions on a domain > controller, which can lead to an "Out of version store" > condition if the DC is busy at that point in time. Whether > or not you run out of version store depends on how fast the > DC can commit the group membership transaction (generally a > function of disk I/O capability of the box) and what other > transactions are occurring at the same time. > > In Windows 2000, if you need to populate a group with more > than 5000 members Microsoft recommends you use group nesting > to accomplish that. > > There is one exception to the 5000 direct member rule - the > Domain Users group. The membership of the Domain Users group > is in fact implied, not explicit. A user is made a member of > this group by setting the value of the user's Primary Group > attribute (a Posix-related legacy attribute) to be the Domain > Users group. The system can calculate the membership of the > Domain Users group. > > Bonus info: if you change the value of a user's Primary > Group attribute to be something other than Domain Users, the > system will add the user as an explicit member of the Domain > Users group. Do this to enough users (>5000, although your > mileage will vary, see above) and you may start running into > "Out of version store" problems. > > In Windows .NET Server, a new replication mechanism is > available for group memberships which enables membership > changes to be replicated on a per-value basis, instead of the > whole list at a time. When this mechanism is enabled (after > all DCs in the forest have been upgraded to Windows .NET > Server and the forest has been raised to "Windows .NET Server > 2003 Forest Functional Level"), it is possible to have groups > with more than 5000 direct members. In fact, have as many > direct members as you want. Go nuts. > > More bonus info: although it is possible to have >5000 > direct members in a group when the new replication mechanism > is enabled, it is still not possible to add or remove >5000 > members from a group in a single transaction. If you do > that, you may run into "Out of version store" problems > (again, your mileage may vary depending on the speed of your > h/w and the load on the DC at that point in time). > > - Stuart > > [This posting is provided "AS IS" with no warranties, and > confers no rights.] > > > -----Original Message----- > From: Roger Seielstad [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, December 03, 2002 1:10 PM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] which W2K groups does the 5000 limit > apply to? > > I believe that there is a 5000 member limit on Universal > groups only - and IIRC, it's a practical, not physical, limit. > > The idea is that the entire contents has to be replicated > every time a member is changed - the membership is a single > multivalued field. > > ------------------------------------------------------ > Roger D. Seielstad - MCSE > Sr. Systems Administrator > Inovis - Formerly Harbinger and Extricity > Atlanta, GA > > > > -----Original Message----- > > From: Parker, Edward [mailto:[EMAIL PROTECTED]] > > Sent: Tuesday, December 03, 2002 3:18 PM > > To: '[EMAIL PROTECTED]' > > Subject: RE: [ActiveDir] which W2K groups does the 5000 limit > > apply to? > > > > > > I know we had this discussion on this list before. I am not > > sure of the > > results. Here are my "real world" numbers > > > > I ran the script below on my domain for the Domain Users > > Group and got the > > following: > > > > There are 23954 users in that group. > > > > Since this is a built in group, I ran it on a manually > > created group and got > > the following: > > > > There are 15315 users in that group. > > > > So my question is: If there is a 5,000 user limit, then why > > can I have > > 15,000+ users in a group. These groups are not nested groups. > > > > Any Thoughts? > > > > > > Script Below: > > *********************************************************** > > > > Option Explicit > > Dim sGroup, sDomain, oGroup > > Dim oMember > > Dim x > > > > x=0 > > > > sDomain = "Your Domain here" > > sGroup = InputBox ("Enter Group Name:"," Enter Group Name ") > > if sGroup = "" then > > wscript.echo "You did not enter a Group Name!" > > wscript.quit > > end if > > > > Set oGroup = GetObject("WinNT://" & sDomain & "/" & sGroup > & ",group") > > > > For Each oMember in oGroup.Members > > x=x+1 > > Next > > wscript.Echo "There are " &x&" users in that group." > > > > -----Original Message----- > > From: Hutchins, Mike [mailto:[EMAIL PROTECTED]] > > Sent: Tuesday, December 03, 2002 2:05 PM > > To: [EMAIL PROTECTED] > > Subject: RE: [ActiveDir] which W2K groups does the 5000 limit > > apply to? > > > > > > All Groups in Ad are bound by this limitation. It only > includes direct > > members. > > > > -----Original Message----- > > From: Thommes, Michael M. [mailto:[EMAIL PROTECTED]] > > Sent: Tuesday, December 03, 2002 12:39 PM > > To: '[EMAIL PROTECTED]' > > Subject: [ActiveDir] which W2K groups does the 5000 limit apply to? > > > > > > I have seen two references (.NET Magazine, Dec 2002, p19; > > Technet, Nov 2002, > > "Planning Your Commerce Server Installation") that indicate > > that Windows > > 2000 groups have a limit of 5000 users. Can anyone tell me > > what groups this > > limit is applied to? Is it just those groups created by an > > administrator or > > does it apply also to default groups (e.g., Domain Users). > > Seems to me if > > it included groups like "Domain Users", Windows 2000 could > > not be called > > very scalable. Any insight is appreciated! TIA. > > > > Mike Thommes > > Systems Administrator > > Argonne National Laboratory > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > List info : > > http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > List info : > > http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
