Too many groups problem

  • Thread starter Thread starter Raymond Breen
  • Start date Start date
R

Raymond Breen

Hi All,

After rebuilding several machines to windows xp, we are experiencing
problems where certain users if they are members of quite a few groups
(750+) encounter problems running group policy and general authentication
issues on the domain.

This only happens to those accounts, so i have ruled out the machines
themselves. As part of the process we also move the user and machine into a
new o/u structure. I have followed all of microsofts recommendations for
increasing token size, kerberos logging , group policy diagnosis all without
finding a solution.

Has anyone else came across this and managed to get the issues resolved?
 
Raymond Breen said:
Hi All,

After rebuilding several machines to windows xp, we are experiencing
problems where certain users if they are members of quite a few groups
(750+) encounter problems running group policy and general authentication
issues on the domain.

This only happens to those accounts, so i have ruled out the machines
themselves. As part of the process we also move the user and machine into
a new o/u structure. I have followed all of microsofts recommendations for
increasing token size, kerberos logging , group policy diagnosis all
without finding a solution.

Has anyone else came across this and managed to get the issues resolved?
Click to expand...

Yes this is a known issue.
You need to re architect to reduce the number of groups your users are a
member of.
750+ groups is excessive. You need to consider why they are and continue to
be a member of so many different groups.
I also suspect that you may also have some nesting taking place to
accumulate more group membership - this too should be investigated.
If you keep on going at this rate you will encounter a situation where users
will be unable to logon at all.

--

Regards,

Mike
--
Mike Brannigan [Microsoft]

This posting is provided "AS IS" with no warranties, and confers no
rights

Please note I cannot respond to e-mailed questions, please use these
newsgroups
 
Thanks for that response Mike, not quite what I wanted to hear, but at least
you have confirmed my own views. Unfortunately my company uses ad securty
group membership to define access to invididual directories for ongoing
project work, so if you happen to be senior manager, it is feasible that you
end up being a member of a huge amount of groups, especially with our nested
group structure.

We are looking into alternatives(namely some sort of document control) but
have not came across anything simple enough for users to utilise like a file
structure accessed as a normal network drive, but with the flexibility of
being able to the granular access control like ntfs

Cheers

Ray
 
Raymond Breen said:
Thanks for that response Mike, not quite what I wanted to hear, but at
least you have confirmed my own views. Unfortunately my company uses ad
securty group membership to define access to invididual directories for
ongoing project work, so if you happen to be senior manager, it is
feasible that you end up being a member of a huge amount of groups,
especially with our nested group structure.

We are looking into alternatives(namely some sort of document control) but
have not came across anything simple enough for users to utilise like a
file structure accessed as a normal network drive, but with the
flexibility of being able to the granular access control like ntfs
Click to expand...

One thing I would say is - archive.
Once your projects are wrapped - then if possible archive them and remove
all those group membership associated with it.

--

Regards,

Mike
--
Mike Brannigan [Microsoft]

This posting is provided "AS IS" with no warranties, and confers no
rights

Please note I cannot respond to e-mailed questions, please use these
newsgroups
 
Back
Top