Members of an Extremely Large Number of Groups Cannot Log On to the Domain

Article translations Article translations
Article ID: 306259 - View products that this article applies to.
This article was previously published under Q306259
This article has been archived. It is offered "as is" and will no longer be updated.
Expand all | Collapse all

SYMPTOMS

When a Windows 2000 account belongs to a large number (over 1,000) of groups, the Security Account Manager (SAM) requires a large amount of time to do the group evaluation during account logon. During this time, the administrator cannot recover the domain controller because the administrator will have a token that has more than 1,024 security identifiers (SIDs), and Local Security Authority (LSA) will ultimately fail the logon because of too many SIDs. Also, the failure will take a long time to appear because of the increased SAM activity.

A user that is given the privilege to add other users to groups could add a user to too many groups, in which case the user would no longer be able to logon.

RESOLUTION

To resolve this problem, obtain the latest service pack for Microsoft Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
260910 How to Obtain the Latest Service Pack for Windows 2000
The English version of this fix should have the following file attributes or later:
   Date       Time   Version           Size     File name
   ---------------------------------------------------------
   30-Jan-02  00:52  5.00.2195.4685    123,664  Adsldp.dll       
   30-Jan-02  00:52  5.00.2195.4851    130,832  Adsldpc.dll      
   30-Jan-02  00:52  5.00.2195.4016     62,736  Adsmsext.dll     
   30-Jan-02  00:52  5.00.2195.4882    356,624  Advapi32.dll     
   30-Jan-02  00:52  5.00.2195.4874    135,440  Dnsapi.dll       
   30-Jan-02  00:52  5.00.2195.4874     95,504  Dnsrslvr.dll     
   11-Feb-02  22:03  5.00.2195.4848    521,488  Instlsa5.dll     
   11-Feb-02  21:59  5.00.2195.4894    145,680  Kdcsvc.dll       
   27-Nov-01  00:33  5.00.2195.4680    199,440  Kerberos.dll     
   07-Feb-02  19:35  5.00.2195.4914     71,024  Ksecdd.sys
   16-Jan-02  23:02  5.00.2195.4848    503,568  Lsasrv.dll       
   16-Jan-02  23:02  5.00.2195.4848     33,552  Lsass.exe        
   08-Dec-01  00:05  5.00.2195.4745    107,280  Msv1_0.dll       
   11-Feb-02  21:59  5.00.2195.4917    306,960  Netapi32.dll     
   30-Jan-02  00:52  5.00.2195.4874    359,184  Netlogon.dll     
   30-Jan-02  00:52  5.00.2195.4879    916,240  Ntdsa.dll        
   30-Jan-02  00:52  5.00.2195.4847    388,368  Samsrv.dll       
   30-Jan-02  00:52  5.00.2195.4874    128,784  Scecli.dll       
   30-Jan-02  00:52  5.00.2195.4878    299,792  Scesrv.dll       
   30-May-01  08:03  5.00.2195.3649      3,584  Spmsg.dll        
   30-Jan-02  00:52  5.00.2195.4600     48,400  W32Time.dll      
   06-Nov-01  19:43  5.00.2195.4600     56,592  W32Tm.exe        
   11-Feb-02  21:59  5.00.2195.4921    125,712  Wldap32.dll      
				

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.

MORE INFORMATION

For additional information about how to obtain a hotfix for Windows 2000 Datacenter Server, click the article number below to view the article in the Microsoft Knowledge Base:
265173 The Datacenter Program and Windows 2000 Datacenter Server Product
Acknowledgment: Adrian Dafinei contributed to this Microsoft Knowledge Base article.

Properties

Article ID: 306259 - Last Review: February 27, 2014 - Revision: 2.4
APPLIES TO
  • Microsoft Windows 2000 Server SP1
  • Microsoft Windows 2000 Server SP2
  • Microsoft Windows 2000 Advanced Server SP1
  • Microsoft Windows 2000 Advanced Server SP2
Keywords: 
kbnosurvey kbarchive kbhotfixserver kbqfe kbbug kbenv kbfix kbnetwork kbsecurity kbwin2000presp3fix kbwin2000sp3fix KB306259

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com