Welcome to Exchange Team Blog Sign in | Join | Help
Search
BlogsVideosPhotosFiles

Syndication

This Blog

Post Categories

Archives

Maximum number of members in a Distribution Group?

We frequently get this question in many newsgroups and forums - what's the maximum number of members you can add to a Distribution group? The member attribute of groups - both Distribution and Security groups, is a multi-valued attribute. So the answer is more about how many values can a multi-valued Active Directory attribute hold.

Many of you may remember the recommendation of 5000 values in a multi-valued attribute in Windows 2000, and the fact that the limitation no longer exists in subsequent versions. So what's the actual limit? Or is there a limit at all?

To find out more, we queried our friends in the Directory Services team, who quickly researched it and added this information to Active Directory Maximum Limits. The doc, which answers all kinds of questions about maximum limits and recommendations, has some interesting factoids:

  • Maximum number of objects in Active Directory: A little less than 2.15 billion
  • Maximum number of SIDs in a domain: About 1 billion
  • Maximum number of group memberships for Security Principals: 1015
    *This is for Security groups. Each Security group you're a member of results in its SID being added to your access token at logon.

The doc provides more nuanced answers, recommendations, and workarounds to overcome some limitations, for those times when you absolutely must create more than 2 billion AD objects.

- Bharat Suneja

Share this post :
Published Thursday, February 19, 2009 11:35 AM by Exchange
Filed Under: , ,

Comments

 

Brian said:

Good information, thanks Bharat. Doesn't it start causing problems way before that theoretical limit though? I recall a problem where the token couldn't build fast enough and was timing out after an account was a member of almost 500 groups... any guidance around recommended limits vs. theoretical ones?
February 19, 2009 5:41 PM
 

Bharat Suneja said:

@Brian: Performance is subjective, will be different in different environments and you may be able to get around it by adding resources - faster hardware, network, etc.

The goal of the linked Directory Services doc is to define the things we know cannot be surpassed (may be technical limitation or 'theoretical limit'), and give some general recommendations of what Microsoft thinks is possible.

The recommendations start  with the word "Recommended" in the title.

February 19, 2009 7:52 PM
 

Ronald Woan said:

Membership in a lot of groups can be a pain that you have to propagate an increase to max token size to all servers that such users will access.
February 19, 2009 8:17 PM
 

Ben said:

What about the kerberos protocol and udp packet size limitation?
February 21, 2009 11:09 PM
 

Bharat Suneja said:

@Ben: KB 244474 has instructions on how to force Kerberos to use TCP.

Also refer to the latter part of my previous response.
February 23, 2009 3:58 AM
 

Evgeniy said:

thanks Bharat
April 8, 2009 3:50 AM
 

saç ekimi said:

good article.
May 7, 2009 4:55 AM
New Comments to this post are disabled

News

This blog and its contents are provided "AS IS" with no warranties, and they confer no rights. Use of any included script samples are subject to the terms specified in the Terms of Use.
New! Would you like to suggest a topic for the Exchange team to blog about? Send suggestions to us.

Exchange Server 2010 - Get the Release Candidate

Poll:

Other Exchange Blogs from MSFT

Other Cool Places

International

[MS] Exchange Blogs

[MVP/Community] Blogs/Sites