One more Bonus to add to Stuart's comments: there are two more exceptions, which follow the same syntax as the Domain Users group. These are the Domain Computers and the Domain Controllers Groups. I sure hope you never have more than 5000 DCs in a domain, but you'll likely have more than 5000 computers in a domain. If this group was not added as the "Primary Group" to every computer account (in the same way as Domain Users to every user account), you'd run into the same issues for replication as you would for any other group.
People forget, that Computers are security principals in AD and thus can be added to groups just like users can. This can be leveraged for GPO filtering and general access to AD data via the local system account of the machine. An example where you would want to use the Domain Computers group is, when you want to hide the OU that contains the computer objects from the normal users. You'd typically remove the READ permissions for the Authenticated Users on that OU and grant only the appropriate operators group the permissions you want. => the Problem: you've just taken away the possiblity of the computer objects to read the GPO of the OU that they belong to... => the Solution: you grant the _Domain Computers_ group READ permissions on the OU. This will restrict users but not computers from reading the data in AD, thus the computers are able read the GPO and live happily ever after. /Guido -----Original Message----- From: Stuart Kwan [mailto:[EMAIL PROTECTED]] Sent: Mittwoch, 4. Dezember 2002 17:43 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] which W2K groups does the 5000 limit apply to? In Windows 2000, Microsoft recommends that you place no more than 5000 direct members in *any* kind of group in Active Directory (be it universal, global, local, security-enabled, or mail-enabled). This is a recommendation, not an enforced restriction, based on testing of Active Directory on what was deemed "typical" hardware at the time of the release of Windows 2000. The recommendation stems from the fact that changes to a group with a large membership list (the list being stored and replicated as a single unit) can lead to long-running transactions on a domain controller, which can lead to an "Out of version store" condition if the DC is busy at that point in time. Whether or not you run out of version store depends on how fast the DC can commit the group membership transaction (generally a function of disk I/O capability of the box) and what other transactions are occurring at the same time. In Windows 2000, if you need to populate a group with more than 5000 members Microsoft recommends you use group nesting to accomplish that. There is one exception to the 5000 direct member rule - the Domain Users group. The membership of the Domain Users group is in fact implied, not explicit. A user is made a member of this group by setting the value of the user's Primary Group attribute (a Posix-related legacy attribute) to be the Domain Users group. The system can calculate the membership of the Domain Users group. Bonus info: if you change the value of a user's Primary Group attribute to be something other than Domain Users, the system will add the user as an explicit member of the Domain Users group. Do this to enough users (>5000, although your mileage will vary, see above) and you may start running into "Out of version store" problems. In Windows .NET Server, a new replication mechanism is available for group memberships which enables membership changes to be replicated on a per-value basis, instead of the whole list at a time. When this mechanism is enabled (after all DCs in the forest have been upgraded to Windows .NET Server and the forest has been raised to "Windows .NET Server 2003 Forest Functional Level"), it is possible to have groups with more than 5000 direct members. In fact, have as many direct members as you want. Go nuts. More bonus info: although it is possible to have >5000 direct members in a group when the new replication mechanism is enabled, it is still not possible to add or remove >5000 members from a group in a single transaction. If you do that, you may run into "Out of version store" problems (again, your mileage may vary depending on the speed of your h/w and the load on the DC at that point in time). - Stuart [This posting is provided "AS IS" with no warranties, and confers no rights.] -----Original Message----- From: Roger Seielstad [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 03, 2002 1:10 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] which W2K groups does the 5000 limit apply to? I believe that there is a 5000 member limit on Universal groups only - and IIRC, it's a practical, not physical, limit. The idea is that the entire contents has to be replicated every time a member is changed - the membership is a single multivalued field. ------------------------------------------------------ Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA > -----Original Message----- > From: Parker, Edward [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, December 03, 2002 3:18 PM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] which W2K groups does the 5000 limit > apply to? > > > I know we had this discussion on this list before. I am not > sure of the > results. Here are my "real world" numbers > > I ran the script below on my domain for the Domain Users > Group and got the > following: > > There are 23954 users in that group. > > Since this is a built in group, I ran it on a manually > created group and got > the following: > > There are 15315 users in that group. > > So my question is: If there is a 5,000 user limit, then why > can I have > 15,000+ users in a group. These groups are not nested groups. > > Any Thoughts? > > > Script Below: > *********************************************************** > > Option Explicit > Dim sGroup, sDomain, oGroup > Dim oMember > Dim x > > x=0 > > sDomain = "Your Domain here" > sGroup = InputBox ("Enter Group Name:"," Enter Group Name ") > if sGroup = "" then > wscript.echo "You did not enter a Group Name!" > wscript.quit > end if > > Set oGroup = GetObject("WinNT://" & sDomain & "/" & sGroup & ",group") > > For Each oMember in oGroup.Members > x=x+1 > Next > wscript.Echo "There are " &x&" users in that group." > > -----Original Message----- > From: Hutchins, Mike [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, December 03, 2002 2:05 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] which W2K groups does the 5000 limit > apply to? > > > All Groups in Ad are bound by this limitation. It only includes direct > members. > > -----Original Message----- > From: Thommes, Michael M. [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, December 03, 2002 12:39 PM > To: '[EMAIL PROTECTED]' > Subject: [ActiveDir] which W2K groups does the 5000 limit apply to? > > > I have seen two references (.NET Magazine, Dec 2002, p19; > Technet, Nov 2002, > "Planning Your Commerce Server Installation") that indicate > that Windows > 2000 groups have a limit of 5000 users. Can anyone tell me > what groups this > limit is applied to? Is it just those groups created by an > administrator or > does it apply also to default groups (e.g., Domain Users). > Seems to me if > it included groups like "Domain Users", Windows 2000 could > not be called > very scalable. Any insight is appreciated! TIA. > > Mike Thommes > Systems Administrator > Argonne National Laboratory > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
