COMMAND

    permissions

SYSTEMS AFFECTED

    Win2000

PROBLEM

    Dave Kolb encountered following.   When he try to add  permissions
    to a folder on my W2K machine or a server folder, he gets a dialog
    that maxes  out at  10,000 items  and you  don't get  to see every
    user, computer and group  as we have more  than a total of  10,000
    objects in  our Active  Directory.   The dialog  is called "Select
    Users,  Computers  and  Groups"  and  says "This location contains
    more than 10,000 objects.  Only the first 10,000 will be shown".

    What if You needed  to give permission to  an object that was  not
    shown?   Setting  the  number  of  objects  shown in the Users and
    Computers snapin does not affect this dialog.

SOLUTION

    The  problem  is  not  actually  a  bug  but a default limitation.
    Change the Maximum Size of Directory Searches setting to a  larger
    number (the default value is 10,000) in the Group Policy  snap-in.
    This Group Policy object is located under:

        User Configuration\Administrative Templates\Desktop\Active Directory

    The 10,000  user limit  is just  the default  setting, and  can be
    increased by the administrator as discussed in

        http://support.microsoft.com/support/kb/articles/Q234/9/55.ASP

    However, there's a performance hit associated with increasing  the
    limit, and the hit is non-linear  with the number of users.   This
    is but  one reason  why it's  a good  idea to  use a  partitioning
    strategy that limits the population of OUs.

    If you  must have  OUs with  large populations,  but don't want to
    take the  performance hit  associated with  increasing the display
    limit, you can still work with  all of the user objects.   Just do
    a "find"  in the  dialogue rather  than browsing  for them.   Hope
    that helps.