Article ID: 306259
Article Last Modified on 10/27/2006
APPLIES TO
- Microsoft Windows 2000 Service Pack 1
- Microsoft Windows 2000 Service Pack 2
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Advanced Server
This article was previously published under Q306259
SYMPTOMS
When a Windows 2000 account belongs to a large number (over 1,000) of groups, the Security Account Manager (SAM) requires a large amount of time to do the group evaluation during account logon. During this time, the administrator cannot recover the domain controller because the administrator will have a token that has more than 1,024 security identifiers (SIDs), and Local Security Authority (LSA) will ultimately fail the logon because of too many SIDs. Also, the failure will take a long time to appear because of the increased SAM activity.
A user that is given the privilege to add other users to groups could add a user to too many groups, in which case the user would no longer be able to logon.
RESOLUTION
To resolve this problem, obtain the latest service pack for Microsoft Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
260910 How to Obtain the Latest Service Pack for Windows 2000
The English version of this fix should have the following file attributes or later:
Date Time Version Size File name --------------------------------------------------------- 30-Jan-02 00:52 5.00.2195.4685 123,664 Adsldp.dll 30-Jan-02 00:52 5.00.2195.4851 130,832 Adsldpc.dll 30-Jan-02 00:52 5.00.2195.4016 62,736 Adsmsext.dll 30-Jan-02 00:52 5.00.2195.4882 356,624 Advapi32.dll 30-Jan-02 00:52 5.00.2195.4874 135,440 Dnsapi.dll 30-Jan-02 00:52 5.00.2195.4874 95,504 Dnsrslvr.dll 11-Feb-02 22:03 5.00.2195.4848 521,488 Instlsa5.dll 11-Feb-02 21:59 5.00.2195.4894 145,680 Kdcsvc.dll 27-Nov-01 00:33 5.00.2195.4680 199,440 Kerberos.dll 07-Feb-02 19:35 5.00.2195.4914 71,024 Ksecdd.sys 16-Jan-02 23:02 5.00.2195.4848 503,568 Lsasrv.dll 16-Jan-02 23:02 5.00.2195.4848 33,552 Lsass.exe 08-Dec-01 00:05 5.00.2195.4745 107,280 Msv1_0.dll 11-Feb-02 21:59 5.00.2195.4917 306,960 Netapi32.dll 30-Jan-02 00:52 5.00.2195.4874 359,184 Netlogon.dll 30-Jan-02 00:52 5.00.2195.4879 916,240 Ntdsa.dll 30-Jan-02 00:52 5.00.2195.4847 388,368 Samsrv.dll 30-Jan-02 00:52 5.00.2195.4874 128,784 Scecli.dll 30-Jan-02 00:52 5.00.2195.4878 299,792 Scesrv.dll 30-May-01 08:03 5.00.2195.3649 3,584 Spmsg.dll 30-Jan-02 00:52 5.00.2195.4600 48,400 W32Time.dll 06-Nov-01 19:43 5.00.2195.4600 56,592 W32Tm.exe 11-Feb-02 21:59 5.00.2195.4921 125,712 Wldap32.dll
STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.
MORE INFORMATION
For additional information about how to obtain a hotfix for Windows 2000 Datacenter Server, click the article number below to view the article in the Microsoft Knowledge Base:
265173 The Datacenter Program and Windows 2000 Datacenter Server Product
Acknowledgment: Adrian Dafinei contributed to this Microsoft Knowledge Base article.
Keywords: kbbug kbfix kbwin2000presp3fix kbqfe kbwin2000sp3fix kbenv kbnetwork kbsecurity kbhotfixserver KB306259