Active Directory User Membership limit

Hi, we are running an Active Directory with several client users including many users having more than 300 memberships. Hence I need to check the membership limit of any particular user in my AD but don’t know how to do that. I’ve searched all over internet but dint found anything working. I need to check the membership limit because I’m afraid that it may cause problems with GPOs, logins, LDAP lookups etc.

SO can anyone please tell me how can I check membership limit of users in my AD? Thanks for all your helps.

Hello Raes, Just go through these Microsoft Articles. I’m sure you will find your answer:

• Problems with Kerberos authentication when a user belongs to many groups http://support.microsoft.com/kb/327825
• Authentication Fails Due to User PAC http://technet.microsoft.com/en-us/l.../cc757478.aspx
• Users who are members of more than 1,015 groups may fail logon authentication http://support.microsoft.com/kb/328889

OK, thanks for the help Bollea. That helped me somewhat in settling maximum limits. But now i have a question. There are many applications running LDAP queries for group membership. Will it affect performance in anyway? I'm asking this because I expect to hit membership in the 600-750 range in the coming months. Please provide your suggestions.

Nothing to worry. You should know that the limit is due to "token bloat" which includes includes SIDs of all security groups of which the user is member of.

Thank you that makes sense. Is there a tool to look at the pac in the token?