We recently starting testing the ADAudit tool and turned on some new auditing features in AD.
I have an LDAP Modify action in a custom program I've written that updates very large memberships for groups in AD (10,000+). It looks like it has started failing because of the auditing changes. This is the event description from the Directory Service Event Log.
While logging audit events for the following object, the directory service reached the maximum number of audit events that could be cached in memory at any given time. As a result of reaching this limit, the operation was aborted.
Maximum number of audit events that can be cached:
17000
Does anyone know how to change the maximum limit for this? I can find no information about it anywhere.
Best Answer
You know you've gotten yourself into a pickle if the only relevant search result to your problem is the Serverfault question you just asked.
Give this a try:
You'll have to create the key as it most likely won't exist. It's completely undocumented (publicly) by Microsoft, and therefore most likely not supportable. The only reason I know that Directory Services checks for the existence of that key is because I ran Procmon and restarted AD DS to see what reg keys it searches for.
I haven't tested it out nor do I have an Active Directory as crazy as yours to test it on, but I doubt you'll get a better answer without contacting Microsoft support.
Most of the other keys there seem to be DWORDS, so I would start with that.
lsass.exe searches for it during AD DS startup using the function RegQueryValueExA. Unfortunately I can't see the parameters passed to the function so I can't tell you exactly what type of registry key it'll need to be. You'll just have to test.