Sign in with
Sign up | Sign in
Your question

Too many groups problem

Last response: in Windows XP
Share
Anonymous
June 1, 2005 12:54:23 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Hi All,

After rebuilding several machines to windows xp, we are experiencing
problems where certain users if they are members of quite a few groups
(750+) encounter problems running group policy and general authentication
issues on the domain.

This only happens to those accounts, so i have ruled out the machines
themselves. As part of the process we also move the user and machine into a
new o/u structure. I have followed all of microsofts recommendations for
increasing token size, kerberos logging , group policy diagnosis all without
finding a solution.

Has anyone else came across this and managed to get the issues resolved?

More about : groups problem

Anonymous
June 1, 2005 4:15:08 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

"Raymond Breen" <deathmatchuk@hotmail.com> wrote in message
news:o 55jh8nZFHA.2520@TK2MSFTNGP09.phx.gbl...
> Hi All,
>
> After rebuilding several machines to windows xp, we are experiencing
> problems where certain users if they are members of quite a few groups
> (750+) encounter problems running group policy and general authentication
> issues on the domain.
>
> This only happens to those accounts, so i have ruled out the machines
> themselves. As part of the process we also move the user and machine into
> a new o/u structure. I have followed all of microsofts recommendations for
> increasing token size, kerberos logging , group policy diagnosis all
> without finding a solution.
>
> Has anyone else came across this and managed to get the issues resolved?

Yes this is a known issue.
You need to re architect to reduce the number of groups your users are a
member of.
750+ groups is excessive. You need to consider why they are and continue to
be a member of so many different groups.
I also suspect that you may also have some nesting taking place to
accumulate more group membership - this too should be investigated.
If you keep on going at this rate you will encounter a situation where users
will be unable to logon at all.

--

Regards,

Mike
--
Mike Brannigan [Microsoft]

This posting is provided "AS IS" with no warranties, and confers no
rights

Please note I cannot respond to e-mailed questions, please use these
newsgroups

"Raymond Breen" <deathmatchuk@hotmail.com> wrote in message
news:o 55jh8nZFHA.2520@TK2MSFTNGP09.phx.gbl...
> Hi All,
>
> After rebuilding several machines to windows xp, we are experiencing
> problems where certain users if they are members of quite a few groups
> (750+) encounter problems running group policy and general authentication
> issues on the domain.
>
> This only happens to those accounts, so i have ruled out the machines
> themselves. As part of the process we also move the user and machine into
> a new o/u structure. I have followed all of microsofts recommendations for
> increasing token size, kerberos logging , group policy diagnosis all
> without finding a solution.
>
> Has anyone else came across this and managed to get the issues resolved?
>
Anonymous
June 1, 2005 6:43:39 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Thanks for that response Mike, not quite what I wanted to hear, but at least
you have confirmed my own views. Unfortunately my company uses ad securty
group membership to define access to invididual directories for ongoing
project work, so if you happen to be senior manager, it is feasible that you
end up being a member of a huge amount of groups, especially with our nested
group structure.

We are looking into alternatives(namely some sort of document control) but
have not came across anything simple enough for users to utilise like a file
structure accessed as a normal network drive, but with the flexibility of
being able to the granular access control like ntfs

Cheers

Ray


"Mike Brannigan [MSFT]" <mikebran@online.microsoft.com> wrote in message
news:%239W1etpZFHA.3152@TK2MSFTNGP14.phx.gbl...
> "Raymond Breen" <deathmatchuk@hotmail.com> wrote in message
> news:o 55jh8nZFHA.2520@TK2MSFTNGP09.phx.gbl...
>> Hi All,
>>
>> After rebuilding several machines to windows xp, we are experiencing
>> problems where certain users if they are members of quite a few groups
>> (750+) encounter problems running group policy and general authentication
>> issues on the domain.
>>
>> This only happens to those accounts, so i have ruled out the machines
>> themselves. As part of the process we also move the user and machine into
>> a new o/u structure. I have followed all of microsofts recommendations
>> for increasing token size, kerberos logging , group policy diagnosis all
>> without finding a solution.
>>
>> Has anyone else came across this and managed to get the issues resolved?
>
> Yes this is a known issue.
> You need to re architect to reduce the number of groups your users are a
> member of.
> 750+ groups is excessive. You need to consider why they are and continue
> to be a member of so many different groups.
> I also suspect that you may also have some nesting taking place to
> accumulate more group membership - this too should be investigated.
> If you keep on going at this rate you will encounter a situation where
> users will be unable to logon at all.
>
> --
>
> Regards,
>
> Mike
> --
> Mike Brannigan [Microsoft]
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights
>
> Please note I cannot respond to e-mailed questions, please use these
> newsgroups
>
> "Raymond Breen" <deathmatchuk@hotmail.com> wrote in message
> news:o 55jh8nZFHA.2520@TK2MSFTNGP09.phx.gbl...
>> Hi All,
>>
>> After rebuilding several machines to windows xp, we are experiencing
>> problems where certain users if they are members of quite a few groups
>> (750+) encounter problems running group policy and general authentication
>> issues on the domain.
>>
>> This only happens to those accounts, so i have ruled out the machines
>> themselves. As part of the process we also move the user and machine into
>> a new o/u structure. I have followed all of microsofts recommendations
>> for increasing token size, kerberos logging , group policy diagnosis all
>> without finding a solution.
>>
>> Has anyone else came across this and managed to get the issues resolved?
>>
>
>
Anonymous
June 1, 2005 7:27:09 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

"Raymond Breen" <deathmatchuk@hotmail.com> wrote in message
news:uP6Z1$qZFHA.3032@TK2MSFTNGP10.phx.gbl...
> Thanks for that response Mike, not quite what I wanted to hear, but at
> least you have confirmed my own views. Unfortunately my company uses ad
> securty group membership to define access to invididual directories for
> ongoing project work, so if you happen to be senior manager, it is
> feasible that you end up being a member of a huge amount of groups,
> especially with our nested group structure.
>
> We are looking into alternatives(namely some sort of document control) but
> have not came across anything simple enough for users to utilise like a
> file structure accessed as a normal network drive, but with the
> flexibility of being able to the granular access control like ntfs
>

One thing I would say is - archive.
Once your projects are wrapped - then if possible archive them and remove
all those group membership associated with it.

--

Regards,

Mike
--
Mike Brannigan [Microsoft]

This posting is provided "AS IS" with no warranties, and confers no
rights

Please note I cannot respond to e-mailed questions, please use these
newsgroups

"Raymond Breen" <deathmatchuk@hotmail.com> wrote in message
news:uP6Z1$qZFHA.3032@TK2MSFTNGP10.phx.gbl...
> Thanks for that response Mike, not quite what I wanted to hear, but at
> least you have confirmed my own views. Unfortunately my company uses ad
> securty group membership to define access to invididual directories for
> ongoing project work, so if you happen to be senior manager, it is
> feasible that you end up being a member of a huge amount of groups,
> especially with our nested group structure.
>
> We are looking into alternatives(namely some sort of document control) but
> have not came across anything simple enough for users to utilise like a
> file structure accessed as a normal network drive, but with the
> flexibility of being able to the granular access control like ntfs
>
> Cheers
>
> Ray
>
>
> "Mike Brannigan [MSFT]" <mikebran@online.microsoft.com> wrote in message
> news:%239W1etpZFHA.3152@TK2MSFTNGP14.phx.gbl...
>> "Raymond Breen" <deathmatchuk@hotmail.com> wrote in message
>> news:o 55jh8nZFHA.2520@TK2MSFTNGP09.phx.gbl...
>>> Hi All,
>>>
>>> After rebuilding several machines to windows xp, we are experiencing
>>> problems where certain users if they are members of quite a few groups
>>> (750+) encounter problems running group policy and general
>>> authentication issues on the domain.
>>>
>>> This only happens to those accounts, so i have ruled out the machines
>>> themselves. As part of the process we also move the user and machine
>>> into a new o/u structure. I have followed all of microsofts
>>> recommendations for increasing token size, kerberos logging , group
>>> policy diagnosis all without finding a solution.
>>>
>>> Has anyone else came across this and managed to get the issues resolved?
>>
>> Yes this is a known issue.
>> You need to re architect to reduce the number of groups your users are a
>> member of.
>> 750+ groups is excessive. You need to consider why they are and continue
>> to be a member of so many different groups.
>> I also suspect that you may also have some nesting taking place to
>> accumulate more group membership - this too should be investigated.
>> If you keep on going at this rate you will encounter a situation where
>> users will be unable to logon at all.
>>
>> --
>>
>> Regards,
>>
>> Mike
>> --
>> Mike Brannigan [Microsoft]
>>
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights
>>
>> Please note I cannot respond to e-mailed questions, please use these
>> newsgroups
>>
>> "Raymond Breen" <deathmatchuk@hotmail.com> wrote in message
>> news:o 55jh8nZFHA.2520@TK2MSFTNGP09.phx.gbl...
>>> Hi All,
>>>
>>> After rebuilding several machines to windows xp, we are experiencing
>>> problems where certain users if they are members of quite a few groups
>>> (750+) encounter problems running group policy and general
>>> authentication issues on the domain.
>>>
>>> This only happens to those accounts, so i have ruled out the machines
>>> themselves. As part of the process we also move the user and machine
>>> into a new o/u structure. I have followed all of microsofts
>>> recommendations for increasing token size, kerberos logging , group
>>> policy diagnosis all without finding a solution.
>>>
>>> Has anyone else came across this and managed to get the issues resolved?
>>>
>>
>>
>
>
!