This article was previously published under Q306259
This article has been archived. It is offered "as is" and will no longer be updated.
When a Windows 2000 account belongs to a large number (over 1,000) of groups, the Security Account Manager (SAM) requires a large amount of time to do the group evaluation during account logon. During this time, the administrator cannot recover the domain controller because the administrator will have a token that has more than 1,024 security identifiers (SIDs), and Local Security Authority (LSA) will ultimately fail the logon because of too many SIDs. Also, the failure will take a long time to appear because of the increased SAM activity.
A user that is given the privilege to add other users to groups could add a user to too many groups, in which case the user would no longer be able to logon.
To resolve this problem, obtain the latest service pack for Microsoft Windows 2000. For additional information, click the following article number to view the article in theMicrosoft Knowledge Base:
260910 How to Obtain the Latest Service Pack for Windows 2000
The English version of this fix should have the following file attributes or later: