5000 user group limitation and the Domain Users Group

  • Thread starter Thread starter Nick42
  • Start date Start date
N

Nick42

If there is indeed a 5000 user per group limitation, would this not
limit the number of user objects a domain can have? The Domain Users
group conforms to the same schema as "normal" groups?

I have heard some people remark that this differs if the Forest is in
Native Mode. I don't see that because the Schema doesn't change in
regards to group size limitations - or does it?
 
(e-mail address removed) (Nick42) wrote in @posting.google.com:
If there is indeed a 5000 user per group limitation, would this not
limit the number of user objects a domain can have? The Domain Users
group conforms to the same schema as "normal" groups?

I have heard some people remark that this differs if the Forest is in
Native Mode. I don't see that because the Schema doesn't change in
regards to group size limitations - or does it?
Click to expand...

"Domain Users" is the default "Primary Group" for all users ("Domain
Computers" is the equiv Primary Group for Computers). An objects Primary
Group is not stored in the group, it is stored in the 'primaryGroupID'
attribute on the object itself (actually the RID of the users Primary
Group is stored in that attribute, but that's another story). This was
done specfically to get around the replication issues caused by everyone
being in Domain Users. If everyone's Primary Group is Domain Users then
Domain Users is empty (in other words, it's "members" attribute is
empty).

As long as you don't change the Primary Group of your users accounts,
everything works fine. If you DO change the Primary Group, you may well
run in to replication problems because Domain Users will no longer be
empty. We had to redesign our logon scripting environment, which used
the seemingly appropriately named 'primary group' to assign the users
'primary group share', to get around the problems that having 25,000
users in Domain users would have caused.

Hope that helps,

Wayne
 
Hello Nick,

Thank you for your post.

"In Windows 2000, group memberships are linked attributes stored in a
single multi-valued attribute of the group object. When a single change is
made to the membership of a group, the whole group is replicated as a
single unit. Because the group membership is replicated as a single unit,
there is a potential for updates to group membership to be "lost" when
different members are added or removed at the same time at different
domain controllers. Additionally, the size of this single object may be
more than the buffer used to commit an entry into the database. For these
reasons, the recommended limit for group members is 5000.

The exception to the 5000 member rule is the Domain Users group. The Domain
Users group uses a "computed" mechanism based on the "primary group ID" of
the user to determine membership and does not typically store members as
multi-valued linked attributes. If the primary group of the user is
changed, their membership in the Domain Users group is written to the
linked attribute for the group and is no longer calculated. This was true
for Windows 2000 and has not changed for Windows Server 2003. Windows
Server 2003 interim forest level relieves administrators from having to
discover and reallocate global security groups with more than 5000 members.

Version Store Issues with Large Groups

Active Directory uses a single block of memory for committing large changes
to the database referred to as the "version store". When a large change is
committed to the database, for example, when a large group is replicated
in, the attribute change must be able to fit into the version store. If the
attribute does not fit, the change cannot be committed, and replication of
the attribute is effectively blocked. When groups reach large numbers, with
more than 5000 members, they are at risk of using up the version store.
Windows Server 2003 introduces a new replication mechanism named LVR, which
addresses this limitation. LVR is activated when the forest functional
level is raised to Windows Server 2003 interim forest level or Windows
Server 2003 forest level. In this level, LVR is used to replicate groups
between Windows Server 2003 domain controllers. The earlier Net Logon
replication mechanism is used to replicate to the down-level Windows NT 4.0
domain controllers." (KB322692)

Best Regards,
Ben Ybarra, Microsoft

Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers no rights.
 
Back
Top