AD: Can you be member of unlimited groups?

How many groups can an Active Directory account be member of?

Is there any hard limit, or do you know of other problems that can arise when you go over a certain number of group memberships?

Background: We have one account that is member of ca. 400 (possibly nested) groups, and we start to see issues in group policy handling for this account.


Solution 1:

No, it's limited to 1015 (including nested groups) due to the size of a principal's security token. Here's an article that discusses AD limits, including group memberships. Have a look at the Group Memberships for Security Principals heading. Here's another KB article that talks about group memberships specifically.

There are exceptions when dealing with domain local groups outside of the domain the principal is a member of. From the KB linked to above:

The only exception to this behavior is that not all domain local security groups that the user is a member of will show up in the user’s token. The only domain local security groups that will show up (in the user’s token) are those groups that the user is a member of that also reside in the domain that contains the computer account that the user is logging on to.

Solution 2:

Note that distribution groups don't factor in to these token size limitations being discussed here.

Solution 3:

This thread has a good discussion on the topic. Short answer: 1,015. Longer answer: less, depending on how many groups they belong to are nested within other groups.