Too many groups problem

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Hi All,

After rebuilding several machines to windows xp, we are experiencing
problems where certain users if they are members of quite a few groups
(750+) encounter problems running group policy and general authentication
issues on the domain.

This only happens to those accounts, so i have ruled out the machines
themselves. As part of the process we also move the user and machine into a
new o/u structure. I have followed all of microsofts recommendations for
increasing token size, kerberos logging , group policy diagnosis all without
finding a solution.

Has anyone else came across this and managed to get the issues resolved?
3 answers Last reply
More about groups problem
  1. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    "Raymond Breen" <deathmatchuk@hotmail.com> wrote in message
    news:O55jh8nZFHA.2520@TK2MSFTNGP09.phx.gbl...
    > Hi All,
    >
    > After rebuilding several machines to windows xp, we are experiencing
    > problems where certain users if they are members of quite a few groups
    > (750+) encounter problems running group policy and general authentication
    > issues on the domain.
    >
    > This only happens to those accounts, so i have ruled out the machines
    > themselves. As part of the process we also move the user and machine into
    > a new o/u structure. I have followed all of microsofts recommendations for
    > increasing token size, kerberos logging , group policy diagnosis all
    > without finding a solution.
    >
    > Has anyone else came across this and managed to get the issues resolved?

    Yes this is a known issue.
    You need to re architect to reduce the number of groups your users are a
    member of.
    750+ groups is excessive. You need to consider why they are and continue to
    be a member of so many different groups.
    I also suspect that you may also have some nesting taking place to
    accumulate more group membership - this too should be investigated.
    If you keep on going at this rate you will encounter a situation where users
    will be unable to logon at all.

    --

    Regards,

    Mike
    --
    Mike Brannigan [Microsoft]

    This posting is provided "AS IS" with no warranties, and confers no
    rights

    Please note I cannot respond to e-mailed questions, please use these
    newsgroups

    "Raymond Breen" <deathmatchuk@hotmail.com> wrote in message
    news:O55jh8nZFHA.2520@TK2MSFTNGP09.phx.gbl...
    > Hi All,
    >
    > After rebuilding several machines to windows xp, we are experiencing
    > problems where certain users if they are members of quite a few groups
    > (750+) encounter problems running group policy and general authentication
    > issues on the domain.
    >
    > This only happens to those accounts, so i have ruled out the machines
    > themselves. As part of the process we also move the user and machine into
    > a new o/u structure. I have followed all of microsofts recommendations for
    > increasing token size, kerberos logging , group policy diagnosis all
    > without finding a solution.
    >
    > Has anyone else came across this and managed to get the issues resolved?
    >
  2. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Thanks for that response Mike, not quite what I wanted to hear, but at least
    you have confirmed my own views. Unfortunately my company uses ad securty
    group membership to define access to invididual directories for ongoing
    project work, so if you happen to be senior manager, it is feasible that you
    end up being a member of a huge amount of groups, especially with our nested
    group structure.

    We are looking into alternatives(namely some sort of document control) but
    have not came across anything simple enough for users to utilise like a file
    structure accessed as a normal network drive, but with the flexibility of
    being able to the granular access control like ntfs

    Cheers

    Ray


    "Mike Brannigan [MSFT]" <mikebran@online.microsoft.com> wrote in message
    news:%239W1etpZFHA.3152@TK2MSFTNGP14.phx.gbl...
    > "Raymond Breen" <deathmatchuk@hotmail.com> wrote in message
    > news:O55jh8nZFHA.2520@TK2MSFTNGP09.phx.gbl...
    >> Hi All,
    >>
    >> After rebuilding several machines to windows xp, we are experiencing
    >> problems where certain users if they are members of quite a few groups
    >> (750+) encounter problems running group policy and general authentication
    >> issues on the domain.
    >>
    >> This only happens to those accounts, so i have ruled out the machines
    >> themselves. As part of the process we also move the user and machine into
    >> a new o/u structure. I have followed all of microsofts recommendations
    >> for increasing token size, kerberos logging , group policy diagnosis all
    >> without finding a solution.
    >>
    >> Has anyone else came across this and managed to get the issues resolved?
    >
    > Yes this is a known issue.
    > You need to re architect to reduce the number of groups your users are a
    > member of.
    > 750+ groups is excessive. You need to consider why they are and continue
    > to be a member of so many different groups.
    > I also suspect that you may also have some nesting taking place to
    > accumulate more group membership - this too should be investigated.
    > If you keep on going at this rate you will encounter a situation where
    > users will be unable to logon at all.
    >
    > --
    >
    > Regards,
    >
    > Mike
    > --
    > Mike Brannigan [Microsoft]
    >
    > This posting is provided "AS IS" with no warranties, and confers no
    > rights
    >
    > Please note I cannot respond to e-mailed questions, please use these
    > newsgroups
    >
    > "Raymond Breen" <deathmatchuk@hotmail.com> wrote in message
    > news:O55jh8nZFHA.2520@TK2MSFTNGP09.phx.gbl...
    >> Hi All,
    >>
    >> After rebuilding several machines to windows xp, we are experiencing
    >> problems where certain users if they are members of quite a few groups
    >> (750+) encounter problems running group policy and general authentication
    >> issues on the domain.
    >>
    >> This only happens to those accounts, so i have ruled out the machines
    >> themselves. As part of the process we also move the user and machine into
    >> a new o/u structure. I have followed all of microsofts recommendations
    >> for increasing token size, kerberos logging , group policy diagnosis all
    >> without finding a solution.
    >>
    >> Has anyone else came across this and managed to get the issues resolved?
    >>
    >
    >
  3. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    "Raymond Breen" <deathmatchuk@hotmail.com> wrote in message
    news:uP6Z1$qZFHA.3032@TK2MSFTNGP10.phx.gbl...
    > Thanks for that response Mike, not quite what I wanted to hear, but at
    > least you have confirmed my own views. Unfortunately my company uses ad
    > securty group membership to define access to invididual directories for
    > ongoing project work, so if you happen to be senior manager, it is
    > feasible that you end up being a member of a huge amount of groups,
    > especially with our nested group structure.
    >
    > We are looking into alternatives(namely some sort of document control) but
    > have not came across anything simple enough for users to utilise like a
    > file structure accessed as a normal network drive, but with the
    > flexibility of being able to the granular access control like ntfs
    >

    One thing I would say is - archive.
    Once your projects are wrapped - then if possible archive them and remove
    all those group membership associated with it.

    --

    Regards,

    Mike
    --
    Mike Brannigan [Microsoft]

    This posting is provided "AS IS" with no warranties, and confers no
    rights

    Please note I cannot respond to e-mailed questions, please use these
    newsgroups

    "Raymond Breen" <deathmatchuk@hotmail.com> wrote in message
    news:uP6Z1$qZFHA.3032@TK2MSFTNGP10.phx.gbl...
    > Thanks for that response Mike, not quite what I wanted to hear, but at
    > least you have confirmed my own views. Unfortunately my company uses ad
    > securty group membership to define access to invididual directories for
    > ongoing project work, so if you happen to be senior manager, it is
    > feasible that you end up being a member of a huge amount of groups,
    > especially with our nested group structure.
    >
    > We are looking into alternatives(namely some sort of document control) but
    > have not came across anything simple enough for users to utilise like a
    > file structure accessed as a normal network drive, but with the
    > flexibility of being able to the granular access control like ntfs
    >
    > Cheers
    >
    > Ray
    >
    >
    > "Mike Brannigan [MSFT]" <mikebran@online.microsoft.com> wrote in message
    > news:%239W1etpZFHA.3152@TK2MSFTNGP14.phx.gbl...
    >> "Raymond Breen" <deathmatchuk@hotmail.com> wrote in message
    >> news:O55jh8nZFHA.2520@TK2MSFTNGP09.phx.gbl...
    >>> Hi All,
    >>>
    >>> After rebuilding several machines to windows xp, we are experiencing
    >>> problems where certain users if they are members of quite a few groups
    >>> (750+) encounter problems running group policy and general
    >>> authentication issues on the domain.
    >>>
    >>> This only happens to those accounts, so i have ruled out the machines
    >>> themselves. As part of the process we also move the user and machine
    >>> into a new o/u structure. I have followed all of microsofts
    >>> recommendations for increasing token size, kerberos logging , group
    >>> policy diagnosis all without finding a solution.
    >>>
    >>> Has anyone else came across this and managed to get the issues resolved?
    >>
    >> Yes this is a known issue.
    >> You need to re architect to reduce the number of groups your users are a
    >> member of.
    >> 750+ groups is excessive. You need to consider why they are and continue
    >> to be a member of so many different groups.
    >> I also suspect that you may also have some nesting taking place to
    >> accumulate more group membership - this too should be investigated.
    >> If you keep on going at this rate you will encounter a situation where
    >> users will be unable to logon at all.
    >>
    >> --
    >>
    >> Regards,
    >>
    >> Mike
    >> --
    >> Mike Brannigan [Microsoft]
    >>
    >> This posting is provided "AS IS" with no warranties, and confers no
    >> rights
    >>
    >> Please note I cannot respond to e-mailed questions, please use these
    >> newsgroups
    >>
    >> "Raymond Breen" <deathmatchuk@hotmail.com> wrote in message
    >> news:O55jh8nZFHA.2520@TK2MSFTNGP09.phx.gbl...
    >>> Hi All,
    >>>
    >>> After rebuilding several machines to windows xp, we are experiencing
    >>> problems where certain users if they are members of quite a few groups
    >>> (750+) encounter problems running group policy and general
    >>> authentication issues on the domain.
    >>>
    >>> This only happens to those accounts, so i have ruled out the machines
    >>> themselves. As part of the process we also move the user and machine
    >>> into a new o/u structure. I have followed all of microsofts
    >>> recommendations for increasing token size, kerberos logging , group
    >>> policy diagnosis all without finding a solution.
    >>>
    >>> Has anyone else came across this and managed to get the issues resolved?
    >>>
    >>
    >>
    >
    >
Ask a new question

Read More

Windows XP