Maximum AD Object size?

  • Last Post 21 May 2017
a-ko posted this 12 May 2017

Hey guys,

Is there a recommendation on maximum Object size in AD?

I've heard 8MB floating around. We're looking at extending the schema to include potentially large byte string blobs. I want to limit the size of these but also want to give folks some freedom in what the can do (large images).

User object Picture attribute is limited to 1MB. that's kind of small in modern cases for some stuff we're doing. So I'm wondering what I can get away with here.


Get Outlook for iOS

Order By: Standard | Newest | Votes
a-ko posted this 12 May 2017

Woops. Rather it's 100KB limited. Not 1MB...

Get Outlook for iOS


chriss3 posted this 13 May 2017

Yes 8MB~ - choosing a linked attr with DNBinary syntax would be most efficient from a DB (NTDS.dit) perspective (storing the info in the binary part) this will generate a new row in the link table for each value stored, instead of adding to the objects row within the datatable. But if I recall correctly the DRA set’s the limit around 8mb, but I could be wrong on that part. 


a-ko posted this 13 May 2017

I’ll probably just tell them they’ll need to store that info on their end, or we’ll just use a string value that references the external data they can pull from




Mahdi posted this 13 May 2017

Just wondeting what would be the best possible way to find this limit without deep searching in web? Shall we add items to a multi-valued attributed of an object in a PowerShell loop untils it throws an error, then we find the size of that object?

GuyTe posted this 16 May 2017

There might be a downside to using DNWithBinary syntax if recycle bin is not turned on: deleting the value will tombstone the link without freeing up the space.





chriss3 posted this 18 May 2017

Hmm the link-value will stay absent for TSL yes. But will then be physically removed from the DB logged as 1697. How is that different from with Recycle Bin on while the link becomes deactivated?   


GuyTe posted this 18 May 2017

Not different. I assumed that it’s obvious that with RB on the data will stay for TSL in any case.

Without RB, using a -non-LVR attribute has an upside of releasing the space the moment the object is deleted.



DonH posted this 18 May 2017

Well, only if bit 0x8 is clear on the searchFlags on the attribute definition in the schema.  Without recycle bin which attribute values are stripped at logical deletion and which stay until tombstone removal is under schema control. DonH 


chriss3 posted this 19 May 2017

Even on linked attrs?  


DonH posted this 19 May 2017

No, good point.  Pre-RB linked attributes were always stripped at logical deletion time, both directions. 


GuyTe posted this 21 May 2017

My bad. Do not know what I was thinking…