Re: AD 1384 error - too many security ids

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: Dean Wells [MVP] (dwells_at_mask.msetechnology.com)
Date: 12/29/04

Next message: Jims: "Re: ADAM anonymous bind role question"
Previous message: nospam_at_nospam.com: "AD with SFU and NIS"
In reply to: Craig Fleming: "Re: AD 1384 error - too many security ids"
Messages sorted by: [ date ] [ thread ]

Date: Tue, 28 Dec 2004 19:36:52 -0500

The max. SID limit is imposed by a number of performance related issues.
As Doug says, it is indeed hard coded (though that limit is technically
1024 less ~9 default well-known principals) ... the hard coding is
imposed to prevent the potential performance problems that would be
caused by exploding tokens to a size where the authorization model
would, simply stated, break down (keep in mind that the authorization
model is used throughout Windows, Microsoft Services and 3rd party
apps./services). Delegation also affects the ticket ( or ~token) size
and can be offset by increasing the default max. token-size but this
provides no work-around to the ~1000 SID limitation. Finally, the
available DC and client OSs don't help in this context either.

In short, you will (as you suggested) need to redesign your security
model accordingly :(

-- 
Dean Wells [MVP / Directory Services]
MSEtechnology
[[ Please respond to the Newsgroup only regarding posts ]]
R e m o v e    t h e    m a s k    t o    s e n d    e m a i l
Craig Fleming wrote:
> Thanks for the responses Doug.
>
> I'm assuming this is due to the underlying SAM that AD sits on top of?
>
> I guess we will have to rework the secuity model to limit the group
> membership.
>
>
> "Doug Frisk" wrote:
>
>> "Craig Fleming" <CraigFleming@discussions.microsoft.com> wrote in
>> message news:7B66A7D7-96C0-4D1A-9165-500565CF5E11@microsoft.com...
>>> The application has been constructed using Windows 2000 native mode
>>> which allows groups in groups.  The nesting of the groups is what
>>> is causing us to
>>> reach this limit.  We are using an business model specific security
>>> model based on AD.
>>>
>>> Any word on whether this limitation will be extended in future
>>> versions of AD or possibly ADAM?
>>
>> It's not an AD limitation.  The limitation is on the size of your
>> access token, it's an NT or LanManager limitation.

Next message: Jims: "Re: ADAM anonymous bind role question"
Previous message: nospam_at_nospam.com: "AD with SFU and NIS"
In reply to: Craig Fleming: "Re: AD 1384 error - too many security ids"
Messages sorted by: [ date ] [ thread ]

Relevant Pages

Re: Problem summing items in a grouped XSL data view
... Doug and I have been working on this issue together offline. ... to be a limitation of the product at this time. ... We are investigating this ...
(microsoft.public.sharepoint.windowsservices)
Pegasus 3000 hr fiasco
... Is there any word or update on the FAA/Centrair and the 3000 hr limitation? ... It's been a looong time. ... Doug ...
(rec.aviation.soaring)