You receive unexpected search results when lots of groups and users access a SharePoint Server 2007 or a Windows SharePoint Services 3.0 site

Article translations Article translations
Article ID: 944299 - View products that this article applies to.
For a Microsoft Office SharePoint Portal Server 2003 version of this article, see 885482.
Expand all | Collapse all

SYMPTOMS

You perform a search on a Microsoft Office SharePoint Server 2007 site or on a Microsoft Windows SharePoint Services 3.0 site that is accessed by lots of Active Directory directory service groups and users. The groups and users access the site by using Forms-Based Authentication or Windows NTLM authentication.

When you do this, you receive unexpected search results. This behavior occurs even when you search for items that exist on the SharePoint Server 2007 or Windows SharePoint Services site.

CAUSE

This behavior occurs if the size of the discretionary access control list (DACL) is larger than 64 kilobytes (KB).

The maximum buffer size of the InitializeAcl function is 64 KB. Therefore, the maximum size of a DACL in Windows is 64 KB. This includes the access control entries (ACEs) that are contained in the DACL. SharePoint Server 2007 processes DACL information when the content index is processed.

When lots of groups and users are added to the portal site, and when the size of the DACL is larger than 64 KB, the index operation does not finish successfully.

WORKAROUND

To work around this behavior, use one of the following methods, as appropriate for your situation:
  • Reduce the number of groups and of users who are added to the portal site.

    For example, reduce the number of groups and of users on the portal site so that the portal site contains fewer than one thousand groups and users.
  • Create a new group in Active Directory, add the new group to the portal site, and then add all the groups and users who require access to the portal site to the new group.
There is no limit to the number of users, groups, memberships, and roles that can have permissions to access the SharePoint Server 2007 or Windows SharePoint Services site. Therefore, you can still access the site even when the size of the DACL reaches its limit of 64 KB.

To prevent this behavior, we recommend that you do not give access to the SharePoint Server 2007 or Windows SharePoint Services site to more than one thousand users, groups, memberships, and roles.

MORE INFORMATION

You can apply update 937832 to relax the size limit when you use Forms-Based Authentication.

For more information about update 937832, click the following article number to view the article in the Microsoft Knowledge Base:
937832 Description of the security update for SharePoint Server 2007: October 9, 2007

Properties

Article ID: 944299 - Last Review: February 18, 2008 - Revision: 2.2
APPLIES TO
  • Microsoft Office SharePoint Server 2007
  • Microsoft Windows SharePoint Services 3.0
Keywords: 
kbharmony kbtshoot kbexpertiseadvanced KB944299

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com