had me worried just the same when reading DL and
thinking Distribution Lists ;-))
one thing that I don't understand is, why doesn't the token
only store the _RIDs_ of the DLGs - why are they stored with the full SID???
Makes no sense to me, as they are able to use the RID for GGs and UGs - and
naturally they have some mechanism on the client side anyways to expand the RIDs
in the token back to the full SIDs for the security token used e.g. during
resource authorization (I believe this was added in Win2k SP2).
It's obvious that the SIDs from SIDhistory are added to the
token as as full SIDs as these have a different domain-part in the SID - but I
certainly don't grasp why it's required for the DLGs of the same
domain...?
And don't forget - in a perfect joe-world, all groups would
be DLGs so you wouldn't even have any benefit of the new mechanism to store RIDs
in the token to limit it's size ;-)
/Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Freitag, 15. April 2005 01:57 To: ActiveDir@mail.activedir.org; 'Send - AD mailing list' Subject: RE: [ActiveDir] 1000 groups Ah Domain Local Group (DLG) SIDS... Sorry, I misread your
post and thought you meant Distribution List when you said DL Groups. Looking at
too much Exchange stuff lately.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Thursday, April 14, 2005 7:38 PM To: Send - AD mailing list Subject: RE: [ActiveDir] 1000 groups That's
not the way I understand the token construct in later-than-NT4 Windows
builds. As I understand it, the effective token is the result of the
combined TGT and Session ticket PAC (portions directly derived from the TGT) as
it relates to a particular target resource (PAC = privileged attribute cert.,
the kerb. attr. designated to carry OS proprietary auth. data) ... the
change you reference simply forces a 2K3 DC to include Domain Local group SIDs
within the TGT (regardless of domain mode) with a view to making the overall
authorization process more consistent.
As for
your 2nd question, that's a good one ... let me give that some
thought.
-- http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, April 14, 2005 7:20 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 1000 groups Interesting post Dean, I wasn't aware of the DL SIDS thing.
Itake it this is a case of the SIDS being in the actual kerb ticket and not in
the actual token and restricted correct?
Is
there a mechanism for listing the groups in a given tgt?
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Tuesday, April 12, 2005 1:39 PM To: Send - AD mailing list Subject: RE: [ActiveDir] 1000 groups Firstly, the so-called well-known ~1000 limitation and
the ~5000 limitation are entirely unrelated.
Regarding token bloat; the more accurate max. SIDs
value is 1015. This is due to 9 well-known SIDs that are always present
and should, therefore, not be part of any calculation as to what we can be
administratively affected. In addition, tickets handed out by 2K3 DCs always
contain DL group SIDs regardless of domain mode and, as such, are always a
little bigger than a corresponding ticket issued by a 2000 DC in mixed mode
(this is done solely to avoid inconsistencies during transition of modes --
considered a bug by many, myself included).
In
contrast, we do attempt to compress specific tokens by maintaining only the RID
(not the whole SID) where applicable. A MaxTokenSize registry value exists
that simply governs the upper limit. Increasing the value will likely
cause performance concerns and, more significantly, potential application
failures due to timeouts (too many SIDs to compare, call does not return and
app. assumes failure). This article eludes to the problem
-
Real-time token size can be calculated using the
following tool -
-- http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Fischer Sent: Tuesday, April 12, 2005 12:45 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] 1000 groups Hi
All: Can an AD user be a
member of more that 1000 groups? Someone told me that 1000 was an AD
limitation. Is that true? Thanks, --Brian
|
- RE: [ActiveDir] 1000 groups Dean Wells
- RE: [ActiveDir] 1000 groups joe
- RE: [ActiveDir] 1000 groups Grillenmeier, Guido
- RE: [ActiveDir] 1000 groups Grillenmeier, Guido
- RE: [ActiveDir] 1000 groups joe
- RE: [ActiveDir] 1000 groups Dean Wells
- RE: [ActiveDir] 1000 groups Thommes, Michael M.