Microsoft KB Archive/197054

= Active Directory Database Size and Delegation Access Rights =

Article ID: 197054

Article Last Modified on 2/23/2007

-

APPLIES TO


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Professional Edition
 * Microsoft Windows 2000 Datacenter Server

-



This article was previously published under Q197054



SUMMARY
Because the Active Directory in Windows 2000 uses static inheritance, any Access Control List (ACL) changes caused by delegation of access rights on Active Directory containers are pushed down to all objects within the container, increasing the objects' size.



MORE INFORMATION
Delegating access rights to an Active Directory container in Windows 2000 is a good way to assign administrative control to a segment of your enterprise without compromising the corporate network. However, it is important to note that the delegation of access to a container causes each object within that container to grow in size for every Access Control Entry (ACE) in the ACL. This translates to an increase in the size of your Active Directory database. In particular, as ACEs are granted and denied to objects (such as users or groups) in a container, they are pushed down to all objects within that container, causing them to grow. Recent tests indicate that Active Directory objects grow at approximately 70 bytes per ACE.

The increase in database size described above is probably the most compelling reason to delegate access rights to groups rather than to users. Because a group object is a security principal that can contain other objects, the increase in size of the Active Directory database takes place only once. Later, when delegation is required for a new user object, the object can be added to the security group that has already been delegated rights, resulting in no change to your database size.

Keywords: kbenv kbinfo KB197054

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.