?
Solved

how to restrict the amount of users to an Active Directory group

Posted on 2014-09-28
5
Medium Priority
?
934 Views
Last Modified: 2014-09-30
Hi Guys,

As stated above, is this possible?  If so, does anyone know how to complete this as i have been unable to find any information regarding it.

Thanks for your time

Regards,
0
Comment
Question by:BCSITS
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 1

Assisted Solution

by:R R
R R earned 1000 total points
ID: 40349373
Not possible using generic config..

http://technet.microsoft.com/en-us/library/active-directory-maximum-limits-scalability(v=ws.10).aspx#BKMK_Objects

Recommended Maximum Number of Users in a Group
For Windows 2000 Active Directory environments, the recommended maximum number of members in a group is 5,000. This recommendation is based on the number of concurrent atomic changes that can be committed in a single database transaction.
Starting with Windows Server 2003, the ability to replicate discrete changes to linked multivalued properties was introduced as a technology called Linked Value Replication (LVR). To enable LVR, you must increase the forest functional level to at least Windows Server 2003 interim. Increasing the forest functional level changes the way that group membership (and other linked multivalued attributes) is stored in the database and replicated between domain controllers. This allows the number of group memberships to exceed the former recommended limit of 5,000 for Windows 2000 or Windows Server 2003 at a forest functional level of Windows 2000.
So far, testing in this area has yet to reveal any new recommended limits to the number of members in a group or any other linked multivalued attribute. Production environments have been reported to exceed 4 million members, and Microsoft scalability testing reached 500 million members.
0
 
LVL 56

Expert Comment

by:McKnife
ID: 40350988
Hi.

Please tell us why you would like to do this.
Surely we can setup measures that at least count the members automatically and set off some alarm measures.
0
 

Author Comment

by:BCSITS
ID: 40351213
thanks for your replies.

i have a licencing issue that i need to address and limiting the amount of users to an AD group will help avoid future issues.

I need to restrict the amount of users to a group to be a total of 50.  this way, if number 51 tries to be added, it will generate an error and force an existing user to be removed first.

is this possible?

thanks for your feedback
0
 
LVL 56

Accepted Solution

by:
McKnife earned 1000 total points
ID: 40351660
This is not possible using what windows offers.
You would have to script-check the number of members, script-check who was put in last and remove those again. Possible but complicated.
Wouldn't it be better to tell those that are able to add members to that group that there's a limit? Or limit the numbers of people who are able to modify that group to those who know AND care?
0
 

Author Closing Comment

by:BCSITS
ID: 40353613
thanks for your feedback
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Suggested Courses

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question