otifrankMemberJul 02, 2009 at 7:17 am #142810
I have a W2K3 domain which is at the W2K3 Forrest Functional level.
There is currently a GPO that is linked to an OU that contains only computer account objects. This GPO is filtered to a specific security group whose members are computer accounts that are located within the linked OU.
Everything works as it is supposed to until I add the 501st or more member(s) to the security group. Once any members in excess of 500 are added to the filtering group, machines within the OU where the GPO is linked but are not members of the filtering group, begin to receive the settings of the GPO.
Other odd things that I have noticed: When the 501st or better member is added to the security group the icons next to the names change from the illuminated computer icon to a greyed out user icon. Additionally, I have tested and found that no matter which GPO I link to any OU within the domain, if I filter it by any security group that has more than 500 members, the same behavior is observed. (Machines within the OU that are not members of the filtering group start to receive the settings of the linked GPO)
To this point, my research has shown that W2K3 domains that are, at minimum, set to at least the interim forrest functional level, are suposed to be able to have security groups be able to be populated with “theoretically unlimited” amounts of members. This seems to indicate that my issue with more than 500 members should “not” be an issue, at least according to MS.
If I can provide any more information which might assist in the efforts to help me, please let me know.
You must be logged in to reply to this topic.