Active Directory Database Size and Delegation Access Rights (197054)
The information in this article applies to:
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Datacenter Server
This article was previously published under Q197054 SUMMARY
Because the Active Directory in Windows 2000 uses static inheritance, any
Access Control List (ACL) changes caused by delegation of access rights
on Active Directory containers are pushed down to all objects within the
container, increasing the objects' size.
MORE INFORMATION
Delegating access rights to an Active Directory container in Windows 2000
is a good way to assign administrative control to a segment of your
enterprise without compromising the corporate network. However, it is
important to note that the delegation of access to a container causes
each object within that container to grow in size for every Access
Control Entry (ACE) in the ACL. This translates to an increase in the
size of your Active Directory database. In particular, as ACEs are
granted and denied to objects (such as users or groups) in a container,
they are pushed down to all objects within that container, causing them
to grow. Recent tests indicate that Active Directory objects grow at
approximately 70 bytes per ACE.
The increase in database size described above is probably the most
compelling reason to delegate access rights to groups rather than to
users. Because a group object is a security principal that can contain
other objects, the increase in size of the Active Directory database
takes place only once. Later, when delegation is required for a new user
object, the object can be added to the security group that has already
been delegated rights, resulting in no change to your database size.
| Modification Type: | Major | Last Reviewed: | 11/21/2003 |
|---|
| Keywords: | kbenv kbinfo KB197054 |
|---|
|