Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1188
  • Last Modified:

how to restrict the amount of users to an Active Directory group

Hi Guys,

As stated above, is this possible?  If so, does anyone know how to complete this as i have been unable to find any information regarding it.

Thanks for your time

Regards,
0
BCSITS
Asked:
BCSITS
  • 2
  • 2
2 Solutions
 
R RCommented:
Not possible using generic config..

http://technet.microsoft.com/en-us/library/active-directory-maximum-limits-scalability(v=ws.10).aspx#BKMK_Objects

Recommended Maximum Number of Users in a Group
For Windows 2000 Active Directory environments, the recommended maximum number of members in a group is 5,000. This recommendation is based on the number of concurrent atomic changes that can be committed in a single database transaction.
Starting with Windows Server 2003, the ability to replicate discrete changes to linked multivalued properties was introduced as a technology called Linked Value Replication (LVR). To enable LVR, you must increase the forest functional level to at least Windows Server 2003 interim. Increasing the forest functional level changes the way that group membership (and other linked multivalued attributes) is stored in the database and replicated between domain controllers. This allows the number of group memberships to exceed the former recommended limit of 5,000 for Windows 2000 or Windows Server 2003 at a forest functional level of Windows 2000.
So far, testing in this area has yet to reveal any new recommended limits to the number of members in a group or any other linked multivalued attribute. Production environments have been reported to exceed 4 million members, and Microsoft scalability testing reached 500 million members.
0
 
McKnifeCommented:
Hi.

Please tell us why you would like to do this.
Surely we can setup measures that at least count the members automatically and set off some alarm measures.
0
 
BCSITSAuthor Commented:
thanks for your replies.

i have a licencing issue that i need to address and limiting the amount of users to an AD group will help avoid future issues.

I need to restrict the amount of users to a group to be a total of 50.  this way, if number 51 tries to be added, it will generate an error and force an existing user to be removed first.

is this possible?

thanks for your feedback
0
 
McKnifeCommented:
This is not possible using what windows offers.
You would have to script-check the number of members, script-check who was put in last and remove those again. Possible but complicated.
Wouldn't it be better to tell those that are able to add members to that group that there's a limit? Or limit the numbers of people who are able to modify that group to those who know AND care?
0
 
BCSITSAuthor Commented:
thanks for your feedback
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now