Solved

how to restrict the amount of users to an Active Directory group

Posted on 2014-09-28
5
846 Views
Last Modified: 2014-09-30
Hi Guys,

As stated above, is this possible?  If so, does anyone know how to complete this as i have been unable to find any information regarding it.

Thanks for your time

Regards,
0
Comment
Question by:BCSITS
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 1

Assisted Solution

by:R R
R R earned 250 total points
ID: 40349373
Not possible using generic config..

http://technet.microsoft.com/en-us/library/active-directory-maximum-limits-scalability(v=ws.10).aspx#BKMK_Objects

Recommended Maximum Number of Users in a Group
For Windows 2000 Active Directory environments, the recommended maximum number of members in a group is 5,000. This recommendation is based on the number of concurrent atomic changes that can be committed in a single database transaction.
Starting with Windows Server 2003, the ability to replicate discrete changes to linked multivalued properties was introduced as a technology called Linked Value Replication (LVR). To enable LVR, you must increase the forest functional level to at least Windows Server 2003 interim. Increasing the forest functional level changes the way that group membership (and other linked multivalued attributes) is stored in the database and replicated between domain controllers. This allows the number of group memberships to exceed the former recommended limit of 5,000 for Windows 2000 or Windows Server 2003 at a forest functional level of Windows 2000.
So far, testing in this area has yet to reveal any new recommended limits to the number of members in a group or any other linked multivalued attribute. Production environments have been reported to exceed 4 million members, and Microsoft scalability testing reached 500 million members.
0
 
LVL 55

Expert Comment

by:McKnife
ID: 40350988
Hi.

Please tell us why you would like to do this.
Surely we can setup measures that at least count the members automatically and set off some alarm measures.
0
 

Author Comment

by:BCSITS
ID: 40351213
thanks for your replies.

i have a licencing issue that i need to address and limiting the amount of users to an AD group will help avoid future issues.

I need to restrict the amount of users to a group to be a total of 50.  this way, if number 51 tries to be added, it will generate an error and force an existing user to be removed first.

is this possible?

thanks for your feedback
0
 
LVL 55

Accepted Solution

by:
McKnife earned 250 total points
ID: 40351660
This is not possible using what windows offers.
You would have to script-check the number of members, script-check who was put in last and remove those again. Possible but complicated.
Wouldn't it be better to tell those that are able to add members to that group that there's a limit? Or limit the numbers of people who are able to modify that group to those who know AND care?
0
 

Author Closing Comment

by:BCSITS
ID: 40353613
thanks for your feedback
0

Featured Post

Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

718 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question