Solved

how to restrict the amount of users to an Active Directory group

Posted on 2014-09-28
5
672 Views
Last Modified: 2014-09-30
Hi Guys,

As stated above, is this possible?  If so, does anyone know how to complete this as i have been unable to find any information regarding it.

Thanks for your time

Regards,
0
Comment
Question by:BCSITS
  • 2
  • 2
5 Comments
 
LVL 1

Assisted Solution

by:R R
R R earned 250 total points
ID: 40349373
Not possible using generic config..

http://technet.microsoft.com/en-us/library/active-directory-maximum-limits-scalability(v=ws.10).aspx#BKMK_Objects

Recommended Maximum Number of Users in a Group
For Windows 2000 Active Directory environments, the recommended maximum number of members in a group is 5,000. This recommendation is based on the number of concurrent atomic changes that can be committed in a single database transaction.
Starting with Windows Server 2003, the ability to replicate discrete changes to linked multivalued properties was introduced as a technology called Linked Value Replication (LVR). To enable LVR, you must increase the forest functional level to at least Windows Server 2003 interim. Increasing the forest functional level changes the way that group membership (and other linked multivalued attributes) is stored in the database and replicated between domain controllers. This allows the number of group memberships to exceed the former recommended limit of 5,000 for Windows 2000 or Windows Server 2003 at a forest functional level of Windows 2000.
So far, testing in this area has yet to reveal any new recommended limits to the number of members in a group or any other linked multivalued attribute. Production environments have been reported to exceed 4 million members, and Microsoft scalability testing reached 500 million members.
0
 
LVL 54

Expert Comment

by:McKnife
ID: 40350988
Hi.

Please tell us why you would like to do this.
Surely we can setup measures that at least count the members automatically and set off some alarm measures.
0
 

Author Comment

by:BCSITS
ID: 40351213
thanks for your replies.

i have a licencing issue that i need to address and limiting the amount of users to an AD group will help avoid future issues.

I need to restrict the amount of users to a group to be a total of 50.  this way, if number 51 tries to be added, it will generate an error and force an existing user to be removed first.

is this possible?

thanks for your feedback
0
 
LVL 54

Accepted Solution

by:
McKnife earned 250 total points
ID: 40351660
This is not possible using what windows offers.
You would have to script-check the number of members, script-check who was put in last and remove those again. Possible but complicated.
Wouldn't it be better to tell those that are able to add members to that group that there's a limit? Or limit the numbers of people who are able to modify that group to those who know AND care?
0
 

Author Closing Comment

by:BCSITS
ID: 40353613
thanks for your feedback
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This article runs through the process of deploying a single EXE application selectively to a group of user.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now