Home / server / Questions / 70415
Accepted
Tomalak
Asked: 2009-10-02 07:13:01 +0800 CST

AD: Can you be member of unlimited groups?

  • 772

How many groups can an Active Directory account be member of?

Is there any hard limit, or do you know of other problems that can arise when you go over a certain number of group memberships?

Background: We have one account that is member of ca. 400 (possibly nested) groups, and we start to see issues in group policy handling for this account.

windows

4 Answers

  1. Best Answer

    No, it's limited to 1015 (including nested groups) due to the size of a principal's security token. Here's an article that discusses AD limits, including group memberships. Have a look at the Group Memberships for Security Principals heading. Here's another KB article that talks about group memberships specifically.

    There are exceptions when dealing with domain local groups outside of the domain the principal is a member of. From the KB linked to above:

    The only exception to this behavior is that not all domain local security groups that the user is a member of will show up in the user’s token. The only domain local security groups that will show up (in the user’s token) are those groups that the user is a member of that also reside in the domain that contains the computer account that the user is logging on to.

    • 8

  2. Note that distribution groups don't factor in to these token size limitations being discussed here.

    • 2

  3. This thread has a good discussion on the topic. Short answer: 1,015. Longer answer: less, depending on how many groups they belong to are nested within other groups.

    • 1

  4. I have seen values of 1000 to 1024 group memberships being the limit, im not sure its a hard limit, but membership of this many groups leads to "token bloat", as the token contains the SIDs of all group memberships.

    In your case the user may be a member of 400 groups directly, but nested groups could increase that significantly.

    • 1