The attached response from Tony Yuhas (Microsoft) explains this quite well.
Tony
> -----Original Message-----
> From: Parker, Edward [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, December 03, 2002 3:18 PM
> To: '[EMAIL PROTECTED]'
> Subject: RE: [ActiveDir] which W2K groups does the 5000 limit
> apply to?
>
>
> I know we had this discussion on this list before. I am not
> sure of the
> results. Here are my "real world" numbers
>
> I ran the script below on my domain for the Domain Users
> Group and got the
> following:
>
> There are 23954 users in that group.
>
> Since this is a built in group, I ran it on a manually
> created group and got
> the following:
>
> There are 15315 users in that group.
>
> So my question is: If there is a 5,000 user limit, then why
> can I have
> 15,000+ users in a group. These groups are not nested groups.
>
> Any Thoughts?
>
>
> Script Below:
> ***********************************************************
>
> Option Explicit
> Dim sGroup, sDomain, oGroup
> Dim oMember
> Dim x
>
> x=0
>
> sDomain = "Your Domain here"
> sGroup = InputBox ("Enter Group Name:"," Enter Group Name ")
> if sGroup = "" then
> wscript.echo "You did not enter a Group Name!"
> wscript.quit
> end if
>
> Set oGroup = GetObject("WinNT://" & sDomain & "/" & sGroup & ",group")
>
> For Each oMember in oGroup.Members
> x=x+1
> Next
> wscript.Echo "There are " &x&" users in that group."
>
> -----Original Message-----
> From: Hutchins, Mike [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, December 03, 2002 2:05 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] which W2K groups does the 5000 limit
> apply to?
>
>
> All Groups in Ad are bound by this limitation. It only includes direct
> members.
>
> -----Original Message-----
> From: Thommes, Michael M. [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, December 03, 2002 12:39 PM
> To: '[EMAIL PROTECTED]'
> Subject: [ActiveDir] which W2K groups does the 5000 limit apply to?
>
>
> I have seen two references (.NET Magazine, Dec 2002, p19;
> Technet, Nov 2002,
> "Planning Your Commerce Server Installation") that indicate
> that Windows
> 2000 groups have a limit of 5000 users. Can anyone tell me
> what groups this
> limit is applied to? Is it just those groups created by an
> administrator or
> does it apply also to default groups (e.g., Domain Users).
> Seems to me if
> it included groups like "Domain Users", Windows 2000 could
> not be called
> very scalable. Any insight is appreciated! TIA.
>
> Mike Thommes
> Systems Administrator
> Argonne National Laboratory
> List info : http://www.activedir.org/mail_list.htm
> List FAQ : http://www.activedir.org/list_faq.htm
> List archive:
> http://www.mail-archive.com/activedir%> 40mail.activedir.org/
>
> List info :
> http://www.activedir.org/mail_list.htm
> List FAQ : http://www.activedir.org/list_faq.htm
> List archive:
> http://www.mail-archive.com/activedir%> 40mail.activedir.org/
>
> List info :
> http://www.activedir.org/mail_list.htm
> List FAQ : http://www.activedir.org/list_faq.htm
> List archive:
> http://www.mail-archive.com/activedir%> 40mail.activedir.org/
>
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
--- Begin Message ---
This is pretty much the truth.
The architectural limit is defined by the database store used by Active
Directory. In order to verify replication was successful that limit can't be
exceeded for any transaction. The larger the transaction the more likely
that this limit will be reached. The 5,000 member "limit" is a number that
is tested and is generally guaranteed to work. Plus it is large enough that
it should meet the needs of even very large installations.
In a .NET forest this limit mostly goes away. Without going into the
technical details, you will be able to add no more than "5,000" members to a
group at one time; the total number of members is unlimited as long as you
add them in batches of less than "5,000".
- Tony Yuhas [MS]
--------------------------------------------------------
This posting is provided "AS IS" with no warranties, and confers no rights.
-----Original Message-----
From: David Stacer [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, June 04, 2002 5:09 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Active Directory Limitations - max 5000 users
pergroup?
We spent some MS Support $$ to research this question. What is widely known
as fact is really wrong.
This is what we were told:
The limit might be somewhere around 5000 but it depends on the size of
Distinguished Names that are the members of the group. If you look at the
syntax for the "member" attribute of a group, it stores the distinguished
names of the users in the group. It doesn't store the SID. You can verify
this by using ADSIEDIT.msc and look for yourself. The DN's can be of
variable sizes depending on where you place your usersid's in AD.
The limitation is really in the replication code, it replicates the entire
attribute and it has a limit to the size of attribute that it can replicate.
If you have short DN's you can fit a lot more in the member attribute before
it doesn't work.
I tested this and had over 10,000 users in a group and it still replicated
ok. The final thing we were told is there is no easy way detect when its too
big.
I agree with a earlier message, use nested groups instead of one large
group.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of
[EMAIL PROTECTED]
Sent: Tuesday, June 04, 2002 4:44 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Active Directory Limitations - max 5000 users
pergroup?
Did a google search...came up with the following:
When you change a user-account attribute under NT 4.0, NT replicates the
user's entire record; AD replicates only the changed attribute. However, AD
stores a group's membership as one attribute. The list of a group's users
and machines (yes, groups can contain machine accounts in AD) resides in
that attribute. The catch is that attributes have a maximum size in the AD
database, and AD doesn't have room for more than 5000 SIDs in a group's
membership attribute. (This gotcha doesn't limit the built-in Domain Users
group, however, which apparently doesn't suffer from the 5000-member cap.)
http://www.winnetmag.com/Articles/Index.cfm?ArticleID=9672
http://216.239.35.100/search?q=cache:VSJxhzEJpTgC:www.securetips.com/subject
/faqs/2kfaq.asp+Global+Group+Size+Limit+Active+Directory+5000&hl=en&ie=UTF8
An interesting read, anyone else have any more information?
Regards,
Benton Chase Wink
-------------------------------------------------
Benton Chase Wink, CCNA MCSE
McCombs School of Business
LAN Administrator, Network Team
512-471-9938
512-619-9016
-----Original Message-----
[Benton Wink {winkb}]
From: Hutchins, Mike [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, June 04, 2002 3:30 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Active Directory Limitations - max 5000 users
pergroup?
A global group is a global group, is a global group, is a global group..
But if your script enumerated the groups within the group to find nested
members, then that would be reasonable to find 10,000
-----Original Message-----
From: T Bowman [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, June 04, 2002 2:26 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Active Directory Limitations - max 5000 users per
group?
After my last response... I hesitate, but...
If I'm not mistaken, I read somewhere that the Domain Users group (at least
I *think* it
was that one) isn't actually a group in the strictest sense of the word.
Correct away... (crossing my fingers ;)
T.
-----------------------
Tony Bowman, MCSE, MCSA, CCNA
Harvest, AL
[EMAIL PROTECTED]
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Parker, Edward
Sent: Tuesday, June 04, 2002 3:18 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Active Directory Limitations - max 5000 users per
group?
Does this apply to the "Domain Users" group ?!?
I ran a script against our Domain and returned over 10,000 users that are a
member of "Domain Users"
-----Original Message-----
From: Hutchins, Mike [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, June 04, 2002 2:46 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Active Directory Limitations - max 5000 users per
group?
The 5000 user limit is not a 5000 "user" limit, it is a 5000 Direct member
limit. I don't think anyone in their right mind would have 5000 users in one
group. I would suggest nesting them to make them more manageable anyways.
FYI, .NET removes this limitation for the nutty people.
-----Original Message-----
From: AMAN, ALICE L. (JSC-GT4) (NASA) [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, June 04, 2002 1:34 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Active Directory Limitations - max 5000 users per
group?
Someone on slashdot.org (pro-linux site) indicated real-world problems with
AD
including:
"Groups aren't scalable, supporting max 5000 users."
I want to recommend that we keep our people directory flat but if groups
have a maximum of
5000 users, this will be an obstacle. Would anyone care to comment?
-----Original Message-----
From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, June 04, 2002 11:49 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Active Directory Limitations
Eoin,
Actually the size of the directory itself doesn't really affect replication
traffic (except when you bring up a new domain controller). Its the amount
of data that is changed, and how frequently it is changed, that drives the
replication traffic.
-gil
-----Original Message-----
From: T Bowman [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, June 04, 2002 9:04 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Active Directory Limitations
Eoin,
I do not believe there is a hard limit. I do know it is capable of
handling millions of objects.
However, keep in mind that the size will affect replication and thus your
network.
T.
-----------------------
Tony Bowman, MCSE, MCSA, CCNA
Harvest, AL
[EMAIL PROTECTED]
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Eoin Mooney
Sent: Tuesday, June 04, 2002 10:48 AM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] Active Directory Limitations
Hi all,
I know this is probably a very general question , but is there a limit with
relation to active directory size.
Number of folders created , data stored ,etc,etc
Regards
Eoin
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
--- End Message ---
