Maximum number of members in a Distribution Group, and other interesting facts

We frequently get this question in many newsgroups and forums - what's the maximum number of members you can add to a Distribution group? The member attribute of groups - both Distribution and Security groups, is a multi-valued attribute. So the answer is more about how many values can a multi-valued Active Directory attribute hold.

Many of you may remember the recommendation of 5000 values in a multi-valued attribute in Windows 2000, and the fact that the limitation no longer exists in subsequent versions. So what's the actual limit? Or is there a limit at all?

To find out more, we queried our friends in the Directory Services team, who quickly researched it and added this information to Active Directory Maximum Limits. The doc, which answers all kinds of questions about maximum limits and recommendations, has some interesting factoids:

  • Maximum number of objects in Active Directory: A little less than 2.15 billion
  • Maximum number of SIDs in a domain: About 1 billion
  • Maximum number of group memberships for Security Principals: 1015*

    *This is for Security groups. Each Security group you're a member of results in its SID being added to your access token at logon.

The doc provides more nuanced answers, recommendations, and workarounds to overcome some limitations, for those times when you absolutely must create more than 2 billion Active Directory objects.

Bharat Suneja

Comments (7)
  1. Brian says:

    Good information, thanks Bharat. Doesn’t it start causing problems way before that theoretical limit though? I recall a problem where the token couldn’t build fast enough and was timing out after an account was a member of almost 500 groups… any guidance around recommended limits vs. theoretical ones?

  2. Bharat Suneja says:

    @Brian: Performance is subjective, will be different in different environments and you may be able to get around it by adding resources – faster hardware, network, etc.

    The goal of the linked Directory Services doc is to define the things we know cannot be surpassed (may be technical limitation or ‘theoretical limit’), and give some general recommendations of what Microsoft thinks is possible.

    The recommendations start  with the word "Recommended" in the title.

  3. Ronald Woan says:

    Membership in a lot of groups can be a pain that you have to propagate an increase to max token size to all servers that such users will access.

  4. Ben says:

    What about the kerberos protocol and udp packet size limitation?

  5. Bharat Suneja says:

    @Ben: KB 244474 has instructions on how to force Kerberos to use TCP.

    Also refer to the latter part of my previous response.

  6. Evgeniy says:

    thanks Bharat

  7. saç ekimi says:

    good article.

Comments are closed.

Skip to main content