Solved

how to restrict the amount of users to an Active Directory group

Posted on 2014-09-28
5
637 Views
Last Modified: 2014-09-30
Hi Guys,

As stated above, is this possible?  If so, does anyone know how to complete this as i have been unable to find any information regarding it.

Thanks for your time

Regards,
0
Comment
Question by:BCSITS
  • 2
  • 2
5 Comments
 
LVL 1

Assisted Solution

by:R R
R R earned 250 total points
ID: 40349373
Not possible using generic config..

http://technet.microsoft.com/en-us/library/active-directory-maximum-limits-scalability(v=ws.10).aspx#BKMK_Objects

Recommended Maximum Number of Users in a Group
For Windows 2000 Active Directory environments, the recommended maximum number of members in a group is 5,000. This recommendation is based on the number of concurrent atomic changes that can be committed in a single database transaction.
Starting with Windows Server 2003, the ability to replicate discrete changes to linked multivalued properties was introduced as a technology called Linked Value Replication (LVR). To enable LVR, you must increase the forest functional level to at least Windows Server 2003 interim. Increasing the forest functional level changes the way that group membership (and other linked multivalued attributes) is stored in the database and replicated between domain controllers. This allows the number of group memberships to exceed the former recommended limit of 5,000 for Windows 2000 or Windows Server 2003 at a forest functional level of Windows 2000.
So far, testing in this area has yet to reveal any new recommended limits to the number of members in a group or any other linked multivalued attribute. Production environments have been reported to exceed 4 million members, and Microsoft scalability testing reached 500 million members.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40350988
Hi.

Please tell us why you would like to do this.
Surely we can setup measures that at least count the members automatically and set off some alarm measures.
0
 

Author Comment

by:BCSITS
ID: 40351213
thanks for your replies.

i have a licencing issue that i need to address and limiting the amount of users to an AD group will help avoid future issues.

I need to restrict the amount of users to a group to be a total of 50.  this way, if number 51 tries to be added, it will generate an error and force an existing user to be removed first.

is this possible?

thanks for your feedback
0
 
LVL 53

Accepted Solution

by:
McKnife earned 250 total points
ID: 40351660
This is not possible using what windows offers.
You would have to script-check the number of members, script-check who was put in last and remove those again. Possible but complicated.
Wouldn't it be better to tell those that are able to add members to that group that there's a limit? Or limit the numbers of people who are able to modify that group to those who know AND care?
0
 

Author Closing Comment

by:BCSITS
ID: 40353613
thanks for your feedback
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now