You receive unexpected search results when lots of groups and users access a SharePoint Server 2007 or a Windows SharePoint Services 3.0 site

This article has been archived. It is offered "as is" and will no longer be updated.
For a Microsoft Office SharePoint Portal Server 2003 version of this article, see 885482.
SYMPTOMS
You perform a search on a Microsoft Office SharePoint Server 2007 site or on a Microsoft Windows SharePoint Services 3.0 site that is accessed by lots of Active Directory directory service groups and users. The groups and users access the site by using Forms-Based Authentication or Windows NTLM authentication.

When you do this, you receive unexpected search results. This behavior occurs even when you search for items that exist on the SharePoint Server 2007 or Windows SharePoint Services site.
CAUSE
This behavior occurs if the size of the discretionary access control list (DACL) is larger than 64 kilobytes (KB).

The maximum buffer size of the InitializeAcl function is 64 KB. Therefore, the maximum size of a DACL in Windows is 64 KB. This includes the access control entries (ACEs) that are contained in the DACL.SharePoint Server 2007 processes DACL information when the content index is processed.

When lots of groups and users are added to the portal site, and when the size of the DACL is larger than 64 KB, the index operation does not finish successfully.
WORKAROUND
To work around this behavior, use one of the following methods, as appropriate for your situation:
  • Reduce the number of groups and of users who are added to the portal site.

    For example, reduce the number of groups and of users on the portal site so that the portal site contains fewer than one thousand groups and users.
  • Create a new group in Active Directory, add the new group to the portal site, and then add all the groups and users who require access to the portal site to the new group.
There is no limit to the number of users, groups, memberships, and roles that can have permissions to access the SharePoint Server 2007 or Windows SharePoint Services site. Therefore, you can still access the site even when the size of the DACL reaches its limit of 64 KB.

To prevent this behavior, we recommend that you do not give access to the SharePoint Server 2007 or Windows SharePoint Services site to more than one thousand users, groups, memberships, and roles.
MORE INFORMATION
You can apply update 937832 to relax the size limit when you use Forms-Based Authentication.

For more information about update 937832, click the following article number to view the article in the Microsoft Knowledge Base:
937832 Description of the security update for SharePoint Server 2007: October 9, 2007
Properties

Article ID: 944299 - Last Review: 01/15/2015 18:36:09 - Revision: 2.2

  • Microsoft Office SharePoint Server 2007
  • Microsoft Windows SharePoint Services 3.0
  • kbnosurvey kbarchive kbharmony kbtshoot kbexpertiseadvanced KB944299
Feedback