|
Posted by Joe Richards [MVP] on May 30, 2006, 9:06 pm
Please log in for more thread options Search the MSKB, there are about 4 or 5 articles on this. The answer is
"it depends". It varies by OS and bin levels due to various changes.
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
MC wrote:
> Joe, you wrote about an interesting issue in Kerberos authentication.
> I have users which are members of about 250 groups (nested) and got troubles
> logging on to several systems.
> What is the maximum number of groups a user can be member of ?
>
> thanks
> MC
>
>
>
>> This is probably going to start an argument but I have never thought that
>> AGDLP or UGLy or whatever people want to call it was ever any good for a
>> mechanism for assigning permissions UNLESS you were trying to implement
>> some sort of role based scheme and even then I dislike it because the
>> person who is responsible for the resource security is getting too far
>> from the management of the security. I.E. They control their local group
>> but have no say over the global groups that get nested into it.
>>
>> I am and have been since about 1996 a huge fan of placing users directly
>> into the domain local or machine local groups where the get their
>> permissions from. This was said to be a great model for a master/resource
>> or multiple-master resource domain design and that couldn't have been
>> further from the truth as I managed a very huge multi-master environment
>> and trying to manage groups in this way makes no sense. It also doesn't
>> make sense in a single domain structure as well, so outside of the idea of
>> role based security I don't see anywhere where it should be used.
>>
>>
>> PLus... I think as we get more and more into issues with token and
>> kerberos bloat issues more and more people are going to come over to my
>> way of thinking about this problem unless Microsoft does some major
>> restructuring in how groups are handled in general.
>>
>> Regardless of what you do, it is a policy decision (or technical if you
>> have a huge number of groups because you seriously need to worry about
>> token and kerb bloat then) and whatever you decide make sure to follow
>> explicitely.
>>
>> joe
>>
>> --
>> Joe Richards Microsoft MVP Windows Server Directory Services
>> Author of O'Reilly Active Directory Third Edition
>> www.joeware.net
>>
>>
>> ---O'Reilly Active Directory Third Edition now available---
>>
>> http://www.joeware.net/win/ad3e.htm
>>
>>
>>
>> Bad Beagle wrote:
>>> I understand the concept of AGDLP for domain permissions but is there any
>>> benefit or issue with using the same DL groups when apply local
>>> permissions? For example I have a Group called G-HR which is a member of
>>> DL-HR and I need to make G-HR group local administrator permissions on a
>>> machine - should I use DL-HR or G-HR? Any difference?
>
>
| 
XML Sitemap