This is pretty much the truth. The architectural limit is defined by the database store used by Active Directory. In order to verify replication was successful that limit can't be exceeded for any transaction. The larger the transaction the more likely that this limit will be reached. The 5,000 member "limit" is a number that is tested and is generally guaranteed to work. Plus it is large enough that it should meet the needs of even very large installations.
In a .NET forest this limit mostly goes away. Without going into the technical details, you will be able to add no more than "5,000" members to a group at one time; the total number of members is unlimited as long as you add them in batches of less than "5,000". - Tony Yuhas [MS] -------------------------------------------------------- This posting is provided "AS IS" with no warranties, and confers no rights. -----Original Message----- From: David Stacer [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 04, 2002 5:09 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Active Directory Limitations - max 5000 users pergroup? We spent some MS Support $$ to research this question. What is widely known as fact is really wrong. � This is what we were told: � The limit might be somewhere around 5000 but it depends on the size of Distinguished Names that are the members of the group. If you look at the syntax for the "member" attribute of a group, it stores the distinguished names of the users in the group. It doesn't store the�SID. You can verify this by using ADSIEDIT.msc and look for yourself. The DN's can be of variable sizes depending on where you place your usersid's in AD. � The limitation is really in the replication code, it replicates the entire attribute and it has a limit to the size of attribute that it can replicate. If you have short DN's you can fit a lot more in the member attribute before it doesn't work. � I tested this and had over 10,000 users in a group and it still replicated ok. The final thing we were told is there is no easy way detect when its too big. � I agree with a earlier message, use nested groups instead of one large group. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, June 04, 2002 4:44 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Active Directory Limitations - max 5000 users pergroup? Did a google search...came up with the following: � When you change a user-account attribute under NT 4.0, NT replicates the user's entire record; AD replicates only the changed attribute. However, AD stores a group's membership as one attribute. The list of a group's users and machines (yes, groups can contain machine accounts in AD) resides in that attribute. The catch is that attributes have a maximum size in the AD database, and AD doesn't have room for more than 5000 SIDs in a group's membership attribute. (This gotcha doesn't limit the built-in Domain Users group, however, which apparently doesn't suffer from the 5000-member cap.) � http://www.winnetmag.com/Articles/Index.cfm?ArticleID=9672 � http://216.239.35.100/search?q=cache:VSJxhzEJpTgC:www.securetips.com/subject/faqs/2kfaq.asp+Global+Group+Size+Limit+Active+Directory+5000&hl=en&ie=UTF8 � An interesting read, anyone else have any more information? � Regards, � Benton Chase Wink �------------------------------------------------- Benton Chase Wink, CCNA MCSE McCombs School of Business LAN Administrator, Network Team 512-471-9938 512-619-9016 � -----Original Message----- [Benton Wink {winkb}]�� From: Hutchins, Mike [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 04, 2002 3:30 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Active Directory Limitations - max 5000 users pergroup? A global group is a global group, is a global group, is a global group.. � But if your script enumerated the groups within the group to find nested members, then that would be reasonable to find 10,000 -----Original Message----- From: T Bowman [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 04, 2002 2:26 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Active Directory Limitations - max 5000 users per group? After my last response... I hesitate, but... If I'm not mistaken, I read somewhere that the Domain Users group (at least I *think* it was that one) isn't actually a group in the strictest sense of the word. � Correct away... (crossing my fingers ;) T. ----------------------- Tony Bowman, MCSE, MCSA, CCNA Harvest, AL [EMAIL PROTECTED] -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Parker, Edward Sent: Tuesday, June 04, 2002 3:18 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Active Directory Limitations - max 5000 users per group? Does this apply to the "Domain Users" group ?!? � I ran a script against our Domain and returned over 10,000 users that are a member of "Domain Users" � -----Original Message----- From: Hutchins, Mike [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 04, 2002 2:46 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Active Directory Limitations - max 5000 users per group? � The 5000 user limit is not a 5000 "user" limit, it is a 5000 Direct member limit. I don't think anyone in their right mind would have 5000 users in one group. I would suggest nesting them to make them more manageable anyways. � FYI, .NET removes this limitation for the nutty people. -----Original Message----- From: AMAN, ALICE L. (JSC-GT4) (NASA) [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 04, 2002 1:34 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Active Directory Limitations - max 5000 users per group? Someone on slashdot.org (pro-linux site) indicated real-world problems with AD including: � "Groups aren't scalable, supporting max 5000 users." � I want to recommend that we keep our people directory flat but if groups have a maximum of 5000 users, this will be an obstacle. Would anyone care to comment? � � -----Original Message----- From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 04, 2002 11:49 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Active Directory Limitations Eoin, � Actually the size of the directory itself doesn't really affect replication traffic (except when you bring up a new domain controller). Its the amount of data that is changed, and how frequently it is changed, that drives the replication traffic. � -gil -----Original Message----- From: T Bowman [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 04, 2002 9:04 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Active Directory Limitations Eoin, � I do not believe there is a hard limit.� I do know it is capable of handling millions of objects. However, keep in mind that the size will affect replication and thus your network. � T. ----------------------- Tony Bowman, MCSE, MCSA, CCNA Harvest, AL [EMAIL PROTECTED] -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Eoin Mooney Sent: Tuesday, June 04, 2002 10:48 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Active Directory Limitations Hi all, I know this is probably a very general question , but is there a limit with relation to active directory size. Number of folders created , data stored ,etc,etc � Regards Eoin List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
