Active Directory Database Size and Delegation Access Rights

• Microsoft Windows 2000 Advanced Server
• Microsoft Windows 2000 Datacenter Server
• Microsoft Windows 2000 Professional
• Microsoft Windows 2000 Server

SUMMARY

Because the Active Directory in Windows 2000 uses static inheritance, any Access Control List (ACL) changes caused by delegation of access rights on Active Directory containers are pushed down to all objects within the container, increasing the objects' size.

MORE INFORMATION

Delegating access rights to an Active Directory container in Windows 2000 is a good way to assign administrative control to a segment of your enterprise without compromising the corporate network. However, it is important to note that the delegation of access to a container causes each object within that container to grow in size for every Access Control Entry (ACE) in the ACL. This translates to an increase in the size of your Active Directory database. In particular, as ACEs are granted and denied to objects (such as users or groups) in a container, they are pushed down to all objects within that container, causing them to grow. Recent tests indicate that Active Directory objects grow at approximately 70 bytes per ACE.

The increase in database size described above is probably the most compelling reason to delegate access rights to groups rather than to users. Because a group object is a security principal that can contain other objects, the increase in size of the Active Directory database takes place only once. Later, when delegation is required for a new user object, the object can be added to the security group that has already been delegated rights, resulting in no change to your database size.

Keywords : kbenv kbtool
Version : WINDOWS:
Platform : WINDOWS
Issue type : kbinfo