cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Maximum number of members in a Distribution Group, and other interesting facts
By
bsuneja
Published Feb 19 2009 02:35 PM 39.3K Views
bsuneja
Microsoft
‎Feb 19 2009 02:35 PM

Maximum number of members in a Distribution Group, and other interesting facts

‎Feb 19 2009 02:35 PM

We frequently get this question in many newsgroups and forums - what's the maximum number of members you can add to a Distribution group? The member attribute of groups - both Distribution and Security groups, is a multi-valued attribute. So the answer is more about how many values can a multi-valued Active Directory attribute hold.

Many of you may remember the recommendation of 5000 values in a multi-valued attribute in Windows 2000, and the fact that the limitation no longer exists in subsequent versions. So what's the actual limit? Or is there a limit at all?

To find out more, we queried our friends in the Directory Services team, who quickly researched it and added this information to Active Directory Maximum Limits. The doc, which answers all kinds of questions about maximum limits and recommendations, has some interesting factoids:

  • Maximum number of objects in Active Directory: A little less than 2.15 billion
  • Maximum number of SIDs in a domain: About 1 billion
  • Maximum number of group memberships for Security Principals: 1015*

    *This is for Security groups. Each Security group you're a member of results in its SID being added to your access token at logon.

The doc provides more nuanced answers, recommendations, and workarounds to overcome some limitations, for those times when you absolutely must create more than 2 billion Active Directory objects.

Bharat Suneja

0 Likes
Like
7 Comments
Not applicable
‎Feb 20 2009 01:41 AM
‎Feb 20 2009 01:41 AM
Good information, thanks Bharat. Doesn't it start causing problems way before that theoretical limit though? I recall a problem where the token couldn't build fast enough and was timing out after an account was a member of almost 500 groups... any guidance around recommended limits vs. theoretical ones?
0 Likes
Like
Not applicable
‎Feb 20 2009 03:52 AM
‎Feb 20 2009 03:52 AM
@Brian: Performance is subjective, will be different in different environments and you may be able to get around it by adding resources - faster hardware, network, etc.

The goal of the linked Directory Services doc is to define the things we know cannot be surpassed (may be technical limitation or 'theoretical limit'), and give some general recommendations of what Microsoft thinks is possible.

The recommendations start  with the word "Recommended" in the title.

0 Likes
Like
Not applicable
‎Feb 20 2009 04:17 AM
‎Feb 20 2009 04:17 AM
Membership in a lot of groups can be a pain that you have to propagate an increase to max token size to all servers that such users will access.
0 Likes
Like
Not applicable
‎Feb 22 2009 07:09 AM
‎Feb 22 2009 07:09 AM
What about the kerberos protocol and udp packet size limitation?
0 Likes
Like
Not applicable
‎Feb 23 2009 11:58 AM
‎Feb 23 2009 11:58 AM
@Ben: KB 244474 has instructions on how to force Kerberos to use TCP.

Also refer to the latter part of my previous response.
0 Likes
Like
Not applicable
‎Apr 08 2009 11:50 AM
‎Apr 08 2009 11:50 AM
thanks Bharat
0 Likes
Like
Not applicable
‎May 07 2009 12:55 PM
‎May 07 2009 12:55 PM
good article.
0 Likes
Like
Version history
Last update:
‎Jul 01 2019 03:42 PM
Updated by: