How many ACEs are too many?

Discussion in 'Active Directory' started by Mark Smith, Oct 25, 2005.

  1. Mark Smith

    Mark Smith Guest

    With regard to ACL's on an Active Directory OU how many ACEs are too many?

    25, 35, 50, 100?

    I'm running Windows 2003 AD running in native mode
     
    Mark Smith, Oct 25, 2005
    #1
    1. Advertisements

  2. Mark Smith

    Paul Bergson Guest

    The fewer the better. How many can you manage, is a better question.

    --


    Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA

    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Paul Bergson, Oct 25, 2005
    #2
    1. Advertisements

  3. Windows NT 4.0 had a 1,820 limit per Acl. See tip 0464 ยป ACE (Access Control Entry) limit.
    in the 'Tips & Tricks' at http://www.jsifaq.com

    I am not aware of any change in Windows NT 5.x.

    Jerold Schulman
    Windows Server MVP
    JSI, Inc.
    http://www.jsiinc.com
    http://www.jsifaq.com
     
    Jerold Schulman, Oct 25, 2005
    #3
  4. Anything that starts causing performance hits or duplication.

    Overall, you want as few ACEs as possible because the ACL chain for an object
    has to be reviewed for every object access.
     
    Joe Richards [MVP], Oct 25, 2005
    #4
  5. Mark Smith

    Mark Smith Guest

    I've heard that Windows 2003 AD Native Mode isn't as bad because it has a
    single instance store?

    Is this the case?

    So would less than 100 be ok?

    Just trying to get a ball park average number to target.
     
    Mark Smith, Oct 25, 2005
    #5
  6. Single instance store helps on the size of the directory due to collapsing
    duplicate SDs into a single entry. From what I understand of the changes it does
    nothing for speeding up object access resolution.
     
    Joe Richards [MVP], Oct 26, 2005
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.