Limitations of this parameter
Auto Zone does not support one-way trusts. If there are any users in a specified group who belong to a domain that has a one-way trust relationship to the joined domain, they will not become valid users on the computer.
If you set this parameter, you should be aware of search limit defined for the auto.schema.search.return.max parameter. The setting for that parameter will limit the number of users returned in search results and stored in the cache. For example, if the auto.schema.search.return.max parameter is set to 100, and you use this parameter to specify an Active Directory group with 200 members, a query would only return results for the first 100 users. The remaining members of the group will still be allowed to log on to computers in the Auto Zone, but the results of queries might be misleading.
If desired, you can disable the auto.schema.search.return.max parameter by setting the parameter value to 0. Disabling the search limit ensures that all of the users in the specified Active Directory groups are listed as valid zone users when you run queries whether the number of users exceeds or falls short of the number specified for the auto.schema.search.return.max parameter. If you are not concerned about whether search results accurately reflect the users in the Active Directory groups you have defined for the auto.schema.allow.groups parameter, however, you don’t need to modify the auto.schema.search.return.max parameter.