In any Microsoft Active Directory forest, a user can only a member of 1024 groups but after allowing for up to 9 well known SIDS this number is actually 1015.
See KB

If a user exceeds the hard limit of 1015 group memberships they probably will not be able to logon.

  • What do you do to rectify the issue?
  • How do you find out what changed and caused a tipping point?

A quick visual method to see a user’s nested group memberships expanded, is to run the command:

dsget user “CN=Mark Parris,OU=Administration,DC=clickclicknext,DC=com” -memberof -expand

If this command returns a short list of groups then the membership of too many groups is probably not an issue, but if the command returns a scrolling list of group memberships then we need to utilise NTDSUTIL. NTDSUTIL has within it a command that you may not even know is there, unless you have this specific issue.

The command is group membership evaluation

At an elevated command prompt.



group membership evaluation

set account DC nameOfDC

set global catalog nameOfDC

set resource dc nameOfDC

run mark.parris is the fqdn of your domain and mark.parris is the username.

The output of this command is a .tsv file and will be found in the path of the prompt (run it from C:\Temp it will be in C:\Temp), this file can be renamed to a .csv.
The report produces a lot of interesting information in a tabular format.

The report will have these column headings.

SID in token
SID type
SID History Count
Distinguished Name
Active Directory Domain Controller Queried
Group Owner
Group Owner SID
WhenCreated (UTC)
WhenChanged (UTC)
Member WhenChanged (UTC)
GroupType WhenChanged (UTC)
One Level MemberOf Count
Total MemberOf Count
Group Type
Depth From User
Closest Parent OU

From the column heading, there are specific columns with timestamps, if these are then sorted upon, it will tell you what group or groups were modified most recently, these changes then need to be understood and reversed or perhaps other legacy group memberships identified and removed.



As I review and update my old consulting notes I have decided to publishing them.
These are by no means definitive and are intended as an ‘aide memoire’.

Comments welcome.

Associated Post: MaxTokenSize – Change of recommendation from Microsoft




I recently found a need to have Operating System and Service Pack information displayed dynamically in Active Directory Users and Computers rather than have it hardcoded into the Description attribute of the computer object.

I remembered that many moons ago, I had seen Dean Wells demonstrate this ability, so I dug out my notes and thought I would share (but Kudos to Dean).

If you open Active Directory Users and Computers, navigate to an OU and then select View Add/Remove Columns, we can see that the information about the Operating System is not available to add as a column.


But if we right click on a computer object  we can see that the Active Directory knows about the computers Operating System and Service Pack information.


If you view the computers attributes, we can see how these attributes are stored in Active Directory


The attributes I am interested in displaying in Active Directory Users and Computers are:

operatingSystem and operatingSystemServicePack

To add them to the Add/Remove columns tab, logon to the Active Directory with Schema Admin privileges, and start ADSIEDIT.MSC.

Navigate to the Configuration Partition and then DisplaySpecifiers and then select the code page for your language. For me this is 409.


navigate to CN=organizationalUnit-Display double click and navigate to extraColumns


Double Click extraColumns and add the following two values.

operatingSystem,Operating System,0,150,0
operatingSystemServicePack,Service Pack,0,150,0

These values equate to:

<ldapDisplayName>,<Column Title>,<Displayed by default>,<Column Width>,<unused>



Once the values are added, navigate your way out of ADSIEDIT.MSC and open Active Directory Users and Computers.  Once again navigate to an OU and then select View Add/Remove Columns we can now see two additional columns


Select Add to make then available in the displayed columns.


We now have Operating System and Service Pack information available at a glance, but many of the other attributes can be added in exactly the same way.

When troubleshooting Active Directory the first place that most people look is the Windows Server event logs, the event logs can provide a wealth of information about the state of an Active Directory, but by default the recorded information is limited to the logging of critical and error events.

To enable detailed diagnostic logging there are a series of registry keys under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics which when set to a defined value will populate the information to the event logs.

The defined values are:

Option Description
0 (None) Only critical events and error events are logged. (Default)
1 (Minimal) Very high-level events are recorded in the event log
2 (Basic) Events with a logging level of 2 or lower are logged.
3 (Extensive) Events with a logging level of 3 or lower are logged.
4 (Verbose) Events with a logging level of 4 or lower are logged.
5 (Internal) All events are logged, including debug strings and configuration changes received.

Any logging above level 3 can generate a lot of additional logged information and should be used with caution.

These values can be set against the one or more of these 24 keys


Key Name:


1 Knowledge Consistency Checker

The KCC derives its input configuration from objects in the directory (for example, sites, servers and site links). The KCC reports if these objects are incorrect or missing. Events occurring during a run of the KCC.

Messages fall into the following categories:

KCC runtime errors, such as inconsistencies, resource errors or directory access problems. KCC output configuration problems. The new configuration cannot be built or is incomplete in some way.  Perhaps too many servers are down to build a complete topology at this time.

2 Security Events

Events related to security such as a user who tries to read or write an attribute with insufficient permissions, a user binding through MAPI, or a domain that has been changed to native mode.

3 ExDS Interface Events

Events related to communication between Active Directory and Exchange clients.

4 MAPI Interface Events

Events related to communication between Active Directory and Exchange clients.

5 Replication Events

Events related to outbound replication, where changed objects are found and inbound replication, where these changes are applied to a local database. “Normal” errors during the course of replication, such as a domain controller being down, are not logged. They are kept as status and are available through the replication tools. The errors logged during replication are generally critical inconsistencies that require user intervention, as database errors. The other kind of events logged by the replication category are information about which objects and attributes were updated and why.  Note that many attributes are updated each time replication occurs. Logging detail about attributes can generate a great deal of messages very quickly.

A level of 1 is safe and might be informative as to the general types of operations occurring for replication. A level higher than level 2 can result in filling up the log file and performance degradation.

6 Garbage Collection

Events generated when objects marked for deletion are actually deleted.

7 Internal Configuration

Interpretation and display of the internal directory service operations.

8 Directory Access

Reads and writes directory objects from all sources.

9 Internal Processing

Events related to the internal operation of Active Directory code such as processing security descriptor propagation. Error events in this category might be an indicator of serious problems in Active Directory. When the directory returns the status of “internal error,” this category can be used to identify the problem for Microsoft support. Set this category to 1 on all computers involved (client and server) and reproduce the problem. Note the point in the code where the internal error was raised.

10 Performance Counters

Events related to loading and unloading the NTDS performance object and performance counters.

11 Initialization/Termination

Events related to starting and stopping Active Directory.

12 Service Control

Processes Active Directory service events.

13 Name Resolution

Resolution of addresses and Active Directory names.

14 Backup

Events related to the backup of Active Directory. Specifically, errors occurring when ESE database records are read or written for backup purposes. Generally only logged when a backup operation is underway.

15 Field Engineering

Internal debugging trace.

16 LDAP Interface Events

Events related to LDAP. An example of events logged include the following: the LDAP server closed a socket to a client, unable to initialize LDAP Simple Bind Authentication, and LDAP over SSL is now available.

17 Setup

Events related to running the Active Directory Installation Wizard.

18 Global Catalog

Events related to Global Catalog. For example, “Promotion of this server to a Global Catalog will be delayed for %1 minutes. This delay is necessary so that the required partitions can be made ready before the GC is advertised.

The operations that occurs during this time include the KCC being run to generate the new topology, all read-only partitions in the enterprise being added to this server, and the contents of these partitions being replicated into this system.  If you want to promote the GC immediately without enforcing this precondition, set the registry variable


(sec) to a DWORD value of 0. The GC will be promoted on the next attempt to check preconditions. This value can also be set to the maximum number of seconds that the DSA will wait before promoting to a GC.”

19 Inter-site Messaging

These messages are logged by the “Intersite Message” service, which is a separate service from the directory itself. There are two kinds of messages that are generated in this category:
The ISM Service is responsible for transporting replication messages between sites.
The ISM Service is also responsible for calculating site routes for the KCC to use. Note that the messages in this category are either fatal configuration errors, or informational messages about the amount of traffic being carried.

20 Group Caching

Events related to Universal Group Membership Caching on a domain controller in a site where this feature is enabled. The value is set to an integer from 0 (no logging) through 5 (most verbose logging). Significant events are reported at logging level 2. with many additional events reported at logging level 5.

21 Linked-Value Replication

Events related to Linked-Value Replication.

22 DS RPC Client

Events related to RPC Client

Controls the logging of events that are related to communication with the Directory Service.
Examples of logged events include remote procedure call (RPC) errors, cancelled calls, and service principal name (SPN)– related operations.

Real world example: Only up to 10 DNS failures are shown for any given 12 hour period, even if more than 10 failures occur. To log all individual failure events, set diagnostics registry value to 1.

23 DS RPC Server

Controls the logging of events that are related the RPC server service.

Example, during outbound replication and replication setup operations.

24 DS Schema

Events related to the Active Directory schema.

Example of an event logged includes a successful Active Directory Schema updates which records the event with and Event ID of 1582


Microsoft have provided a Visio 2010 Add-In to enable Disk Space Monitoring, it provides a graphical view of free space available on selected computers.  To populate the Visio diagram it can either be populated from an Excel spreadsheet or System Center Operations Manager.  Once all the desired computers have been contacted, the information is presented in a format similar to this.


May the Gig’s be with you.

Client\X64 – Visio Add-In for Disk Space Monitoring Download
Client\X86-Visio Add-In for Disk Space Monitoring Download
Server\Visio Services Data Provider for Disk Space Monitoring add-in Download
User Guide for Visio Add-In for Disk Space Monitoring Download
Visio Services Data Provider for Disk Space Monitoring add-in user guide Download

After installing Service Pack 1 on Windows 7 or Windows Server 2008 R2, by default you have the ability to uninstall the Service Pack and rollback to the previous state. If you are confident that you do not need to rollback the service pack at a later date. The installation can be made final by running DISM /online /cleanup-Image /spsuperseded on average this has reclaimed for me over 2GB per server, not that much space these days but if you have for some reason VM’s running like this, these 2GB’s can add up to a lot of space.

Microsoft have just released this interesting KB article on large sector drive support in various versions of Windows.

Over the next few years, the data storage industry will be transitioning the physical format of hard disk drives from 512-byte sectors to 4096-byte sectors (also known as 4K sectors). This transition is driven by several factors, including increases in storage density and reliability.  

Specific requirements for Microsoft support by OS version

Windows Vista and Windows Server 2008:

  • Install the hotfix from the following Microsoft Knowledge Base (KB) article:
    2470478  ( ) Applications that are built on ESENT and that run on a Windows Vista-based or Windows Server 2008-based computer may not work correctly after the reported physical sector size of the storage device changes
  • Make sure that the drivers and firmware for your storage controller and for your other hardware components are updated. Also make sure that they support large sector drives.

Windows 7 and Windows Server 2008 R2:

  • Install Service Pack 1 (SP1), or install the update from the following KB article:
    982018  ( ) An update that improves the compatibility of Windows 7 and Windows Server 2008 R2 with Advanced Format Disks is available
  • Make sure that the drivers and firmware for your storage controller and other hardware components are updated. Also make sure that they support large sector drives.
  • Use the updated Windows Preinstallation Environment (Windows PE) for SP1 that will be released as part of the updated pieces of the SP1 Windows Automated Installation Kit (AIK) and of the Windows OEM Preinstallation Kit (OPK). Or, embed update 982018 into Windows PE.

Windows Server 2003 and Windows XP:

Any large sector disks, such as Advanced Format drives, are not supported by Microsoft for installation on systems that are running Windows Server 2003, Windows Server 2003 R2, or Windows XP.

The full KB article is here.

Microsoft have today (14/02/11) released a refresh update for their Virtual PC offering.

Windows Virtual PC is the latest Microsoft virtualization technology. You can use it to run more than one operating system at the same time on one computer, and to run many productivity applications on a virtual Windows environment, with a single click, directly from a computer running Windows 7.

Download it Here

Supported host operating systems

  • Windows 7 Home Basic
  • Windows 7 Home Premium
  • Windows 7 Enterprise
  • Windows 7 Professional
  • Windows 7 Ultimate

Supported guest operating systems

  • Windows XP Service Pack 3 (SP3) Professional
  • Windows Vista Enterprise Service Pack 1 (SP1) and later versions
  • Windows Vista Ultimate Service Pack 1 (SP1) and later versions
  • Windows Vista Business Service Pack 1 (SP1) and later versions *
  • Windows 7 Professional *
  • Windows 7 Enterprise.
  • Windows 7 Ultimate

*Note Virtual applications are not supported on Windows Vista Business or on Windows 7 Professional. All other features of Windows Virtual PC are supported on these two guest systems.