Oh excellent, I was completely unaware of that. Wonder why
it hasn't made it to MSDN yet... Time to start emailing people.
;o) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Friday, April 15, 2005 12:31 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 1000 groups Just a related thought to this, you might want to be aware of the following change that was put into W2K3/SP1:
http://support.microsoft.com/kb/832572/
Mike Thommes
-----Original
Message-----
That's not the way I understand the token construct in later-than-NT4 Windows builds. As I understand it, the effective token is the result of the combined TGT and Session ticket PAC (portions directly derived from the TGT) as it relates to a particular target resource (PAC = privileged attribute cert., the kerb. attr. designated to carry OS proprietary auth. data) ... the change you reference simply forces a 2K3 DC to include Domain Local group SIDs within the TGT (regardless of domain mode) with a view to making the overall authorization process more consistent.
As for your 2nd question, that's a good one ... let me give that some thought. --
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of joe Interesting post Dean, I wasn't aware of the DL SIDS thing. Itake it this is a case of the SIDS being in the actual kerb ticket and not in the actual token and restricted correct?
Is there a mechanism for listing the groups in a given tgt?
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Dean
Wells Firstly, the so-called well-known ~1000 limitation and the ~5000 limitation are entirely unrelated.
Regarding token bloat; the more accurate max. SIDs value is 1015. This is due to 9 well-known SIDs that are always present and should, therefore, not be part of any calculation as to what we can be administratively affected. In addition, tickets handed out by 2K3 DCs always contain DL group SIDs regardless of domain mode and, as such, are always a little bigger than a corresponding ticket issued by a 2000 DC in mixed mode (this is done solely to avoid inconsistencies during transition of modes -- considered a bug by many, myself included).
In contrast, we do attempt to compress specific tokens by maintaining only the RID (not the whole SID) where applicable. A MaxTokenSize registry value exists that simply governs the upper limit. Increasing the value will likely cause performance concerns and, more significantly, potential application failures due to timeouts (too many SIDs to compare, call does not return and app. assumes failure). This article eludes to the problem -
Real-time token size can be calculated using the following tool -
--
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Brian
Fischer Hi All: Can an AD user be a member of more that 1000 groups? Someone told me that 1000 was an AD limitation. Is that true? Thanks, --Brian
|
- RE: [ActiveDir] 1000 groups Thommes, Michael M.
- joe