Archived from groups: microsoft.public.windowsxp.security_admin (
More info?)
"Raymond Breen" <deathmatchuk@hotmail.com> wrote in message
news:uP6Z1$qZFHA.3032@TK2MSFTNGP10.phx.gbl...
> Thanks for that response Mike, not quite what I wanted to hear, but at
> least you have confirmed my own views. Unfortunately my company uses ad
> securty group membership to define access to invididual directories for
> ongoing project work, so if you happen to be senior manager, it is
> feasible that you end up being a member of a huge amount of groups,
> especially with our nested group structure.
>
> We are looking into alternatives(namely some sort of document control) but
> have not came across anything simple enough for users to utilise like a
> file structure accessed as a normal network drive, but with the
> flexibility of being able to the granular access control like ntfs
>
One thing I would say is - archive.
Once your projects are wrapped - then if possible archive them and remove
all those group membership associated with it.
--
Regards,
Mike
--
Mike Brannigan [Microsoft]
This posting is provided "AS IS" with no warranties, and confers no
rights
Please note I cannot respond to e-mailed questions, please use these
newsgroups
"Raymond Breen" <deathmatchuk@hotmail.com> wrote in message
news:uP6Z1$qZFHA.3032@TK2MSFTNGP10.phx.gbl...
> Thanks for that response Mike, not quite what I wanted to hear, but at
> least you have confirmed my own views. Unfortunately my company uses ad
> securty group membership to define access to invididual directories for
> ongoing project work, so if you happen to be senior manager, it is
> feasible that you end up being a member of a huge amount of groups,
> especially with our nested group structure.
>
> We are looking into alternatives(namely some sort of document control) but
> have not came across anything simple enough for users to utilise like a
> file structure accessed as a normal network drive, but with the
> flexibility of being able to the granular access control like ntfs
>
> Cheers
>
> Ray
>
>
> "Mike Brannigan [MSFT]" <mikebran@online.microsoft.com> wrote in message
> news:%239W1etpZFHA.3152@TK2MSFTNGP14.phx.gbl...
>> "Raymond Breen" <deathmatchuk@hotmail.com> wrote in message
>> news:O55jh8nZFHA.2520@TK2MSFTNGP09.phx.gbl...
>>> Hi All,
>>>
>>> After rebuilding several machines to windows xp, we are experiencing
>>> problems where certain users if they are members of quite a few groups
>>> (750+) encounter problems running group policy and general
>>> authentication issues on the domain.
>>>
>>> This only happens to those accounts, so i have ruled out the machines
>>> themselves. As part of the process we also move the user and machine
>>> into a new o/u structure. I have followed all of microsofts
>>> recommendations for increasing token size, kerberos logging , group
>>> policy diagnosis all without finding a solution.
>>>
>>> Has anyone else came across this and managed to get the issues resolved?
>>
>> Yes this is a known issue.
>> You need to re architect to reduce the number of groups your users are a
>> member of.
>> 750+ groups is excessive. You need to consider why they are and continue
>> to be a member of so many different groups.
>> I also suspect that you may also have some nesting taking place to
>> accumulate more group membership - this too should be investigated.
>> If you keep on going at this rate you will encounter a situation where
>> users will be unable to logon at all.
>>
>> --
>>
>> Regards,
>>
>> Mike
>> --
>> Mike Brannigan [Microsoft]
>>
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights
>>
>> Please note I cannot respond to e-mailed questions, please use these
>> newsgroups
>>
>> "Raymond Breen" <deathmatchuk@hotmail.com> wrote in message
>> news:O55jh8nZFHA.2520@TK2MSFTNGP09.phx.gbl...
>>> Hi All,
>>>
>>> After rebuilding several machines to windows xp, we are experiencing
>>> problems where certain users if they are members of quite a few groups
>>> (750+) encounter problems running group policy and general
>>> authentication issues on the domain.
>>>
>>> This only happens to those accounts, so i have ruled out the machines
>>> themselves. As part of the process we also move the user and machine
>>> into a new o/u structure. I have followed all of microsofts
>>> recommendations for increasing token size, kerberos logging , group
>>> policy diagnosis all without finding a solution.
>>>
>>> Has anyone else came across this and managed to get the issues resolved?
>>>
>>
>>
>
>