Selecting Local Groups or Domain Local Groups as Resource Groups

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

In both the AG/ACL and the AG/RG methods, you can select as resource groups either local groups on the computer that controls the resource or domain local groups in the computer’s domain. This choice is typically relevant for administrators who manage network resources. If Bob shares a printer, he might create a local group to act as the resource group rather than ask a domain administrator to create a domain local group and grant him permission to manage it. Network resource managers, however, can choose either type of group as a resource group.

One advantage of using domain local groups as resource groups is that domain local groups can be managed anywhere in the domain. Creating local groups requires the resource manager to access the specific computer where the local group is to be created. Another advantage of using domain local groups as resource groups is that domain local groups are visible in Active Directory. Assuming that the domain local group is named in a meaningful way, it is relatively easy to locate the resource group and modify it to add or remove account groups.

However, there are also significant disadvantages to using domain local groups as resource groups. For example, suppose Bob is managing a file server with 500 shares, each of which has three resource groups to define the three common access levels. If Bob uses domain local groups for the resource groups, 1,500 groups will be displayed in Active Directory Users and Groups in the Microsoft Management Console (MMC). Furthermore, suppose that Bob has 50 file servers. Even with a meaningful group naming policy, it is not going to be easy to find the right resource group among 75,000 group names. In this case, Bob is much more likely to choose local groups as resource groups.

Another disadvantage of using domain local groups as resource groups is the relative difficulty of group retirement. As resources are changed, moved, or retired, the resource groups associated with the resource also must be changed, moved, or retired. A resource manager is more likely to keep up with the management of local groups than of domain local groups that are managed by another administrator. The closer the resource groups are to the actual resource, the more likely they are to be maintained or retired properly.

Security access token size also can be an issue if users are members of too many groups. A user’s access token is built primarily from the security identifiers (SIDs) of the groups to which the user belongs. The default maximum token size for the Microsoft® Windows XP Professional operating system and Windows Server 2003 is 12,000 bytes. This token size enables users to belong to approximately 120 groups. If a user belongs to more than 120 groups, the buffer allocated for the user’s token is exceeded. The result is that the user is unable to log on to the network or is otherwise denied access to network resources.

The maximum token size can be modified if necessary. With token-size modification, users can successfully belong to hundreds of groups. If you choose to use domain local groups as resource groups, token size issues are more likely to arise than if you use local groups on the computer where the resource is shared.

Note

  • For more information about token size and default group membership limits, see article Q327825, "New Resolution for Problems That Occur When Users Belong to Many Groups" in the Microsoft Knowledge Base. To find this article, see the Microsoft Knowledge Base link on the Web Resources page at www.microsoft.com/windows/reskits/webresources.