Skip to main content

Max Group Membership Limits for Active Directory

While exploring the concept of maximum membership limits for groups, I ran into a number of posts which offered contradicting information. To set the record straight, we will start with with ancient history.

When Windows 2000 was released, the recommended number of members in a group was 5000. This corresponds with the number of changes that could be written in a single replication cycle (if I have my facts straight.) Remember, back in those days, every time you changed the membership of a group, you caused the entire group and all its membership information to replicate.

With the release of Windows 2003 came the concept of Linked Value Replication. This enabled you to make membership changes to a group and only replicate the changes in membership – adds, deletes, etc. Because of this, Microsoft hasn’t issued a new recommended limit. Here’s a snippet from a document titled Windows Server 2003 R2 and Windows Server 2003:

Recommended Maximum Number of Users in a Group

For Windows 2000 Active Directory environments, the recommended maximum number of members in a group is 5,000. This recommendation is based on the number of concurrent atomic changes that can be committed in a single database transaction. Starting with Windows Server 2003, the ability to replicate discrete changes to linked multivalued properties was introduced as a technology called Linked Value Replication (LVR).To enable LVR, you must increase the forest functional level to at least Windows Server 2003 interim. Increasing the forest functional level changes the way that group membership (and other linked multivalued attributes) is stored in the database and replicated between domain controllers. This allows the number of group memberships to exceed the former recommended limit of 5,000 for Windows 2000 or Windows Server 2003 at a forest functional level of Windows 2000. So far, testing in this area has yet to reveal any new recommended limits to the number of members in a group or any other linked multivalued attribute. Production environments have been reported to exceed 4 million members, and Microsoft scalability testing reached 500 million members.

So there you have it. The next time someone asks you about membership limitations of a group, you can happily tell them – it doesn’t exist (because you aren’t on Windows 2000, right? RIGHT?)

Comments

Popular posts from this blog

opalis: blank entries in log and log history

ran into a problem today with opalis.  I had checked in a policy I was working with for testing and left it on overnight.  I came in the next day and found that it didn't work like I had expected.  I checked out the policy and tested it to make sure it was working.  it did exactly what I expected. I checked it again and started.  this is when I noticed something strange.  neither the log nor the log history had any information in it. usually, it would look something like this screenshot: I checked my lab environment and found the same thing.  I spent a few cycles reading logs , manuals, etc believing that I had missed a step setting it up somewhere or inadvertently turned something off.  I ran across an access denied error that I quietly shuffled to the back for now.  to rule out the ois client, I tried using the operator console.  that didn't work either. I checked the services on the server to see if it was started.  that's when I found that the opalisactionservice wa

how to retrieve your ip address with powershell...

update: this is how it’s performed in powershell v3 as demonstrated here . (get-netadapter | get-netipaddress | ? addressfamily -eq 'IPv4' ).ipaddress   update: this is by far the easiest. PS C:\temp> (gwmi Win32_NetworkAdapterConfiguration | ? { $_.IPAddress -ne $null }).ipaddress 192.168.1.101     are you laughing yet?  i know you probably find this topic amusing.  it's really interesting though.  whenever you get over it, i'll do this in the standard cmd.exe interpreter and then in powershell to show you what kind of coolness powershell does. done?  okay, good.  this is an interpretation of a demo that bob wells did at our smug meeting.  hope you like it. i should tell you, it's not as simple as the title would lead you to believe.  i like doing that little slight-of-hand thing since it gives the impression that i'm painting a very easy target on my back for your criticism (though it's probably true in other ways)!  the idea is that we wa

imaged machines and the dnsapi event id 11163

i wonder if this is going to end up a long-winded post.  i never intend for that to happen because somewhere i picked up that technical information should be succinct.  however, when i started looking into this problem, it seemed like there just wasn’t good information on it. synopsis a user in your environment needs to have their machine reimaged.  as a loyal IT citizen, you promptly do so by any manner that happens to be your favorite (e.g. mdt, swimage, ghost, etc).  you bring up this machine as the same name.  later on, you try to remotely manage the machine but realize that the ip it once had is different.  you spin your wheels a bit trying to figure out why the new ip hasn’t registered in dns.  upon reviewing the event log of the machine, you discover events that look eerily similar to these: Event Type: Warning Event Source: DnsApi Event Category: None Event ID: 11163 Date: 8/12/2008 Time: 5:32:32 PM User: N/A Computer: myComputer D