Maximum Number of Objects in 2003 AD Security Group

Discussion in 'Active Directory' started by Keith Williams, May 21, 2007.

  1. In Windows 2000 AD there was a maximum limit of 5000 objects per security
    group. I believe that limitation has been removed in Windows 2003 but can
    find no (Microsoft) documentation to confirm this...

    is there still a limit on the number of objects that can be in a single AD
    group? If there is no hard limit is there a recommended maximum figure?
     
    Keith Williams, May 21, 2007
    #1
    1. Advertisements

  2. There's not a hard limit but you're in general much better off nesting
    groups than having massive group memberships from a manageability
    perspective.

    --
    Thanks,
    Brian Desmond
    Windows Server MVP - Directory Services

    www.briandesmond.com
     
    Brian Desmond [MVP], May 21, 2007
    #2
    1. Advertisements

  3. There is no physical limit in 2003 if you're running in Windows Server 2003
    Forest Functional Level. If you're not in FFL2 you still have the 5,000
    limit.

    The practicalities of the numbers in a group vary depending on the kind of
    applications you have that are using groups. What kind of numbers are you
    thinking about?
     
    Paul Williams [MVP], May 21, 2007
    #3
  4. Client presently has a ~72,000 users, some of which can hopefully be deleted,
    but wants to consolidate the number of groups they have, some 26,000 at last
    count, to ease the manageability of the group structure. The original reason
    for the vast number of groups was apparently the 5000 user limit in 2000.

    We are migrating to a 2003 R2 native mode domain so the restriction is
    lifted, in theory we could have a group with 72000 users in it. We probably
    wouldnt purely from a logistical purely as Brian says from a manageability
    perspective. I was just trying to work out if there was a 'happy medium' or
    'recommended maximum'.

    Also from a software distribution perspective, we will be using SMS, and
    will need groups for distribution. The core apps that everyone gets will be
    in the base OS build, or layer 1, and distributed automatically. But there
    are some applications that are not considered to be layer 0 or 1, but have in
    excess of 10,000 users - it could be that that calculation needs to change -
    so we could conceivably have groups with approaching 20000 users in them.

    Thanks for your responses.
     
    Keith Williams, May 22, 2007
    #4
  5. You sound like you've got it sorted. Yes, you can put 72,000 users in a
    group, but that might not be feasible if you want to use that group for
    software distribution or something similar -depends on your app and the
    rules you implement. Depending on how frequently that group will change
    that can become a pain. We have a couple of groups with numbers like that,
    that rarely change are are only user for trivial things like auto-enrolment,
    and the like.
     
    Paul Williams [MVP], May 22, 2007
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.