Our company is trying to rethink our approach to managing permissions among employees for access to project files in our domain. We're considering creating a new AD Group for each office project and then adding users to the groups as employees work on projects. (Right now, user accounts are individually added or removed from relevant project folders by a script when they join or leave a project.)
The concern is that we have ~300 new projects a year, so there would potentially be thousands of these groups. Also, users may work on many projects over the years, so each user would potentially be a member of hundreds of groups.
Are either of those numbers a concern? We don't want to create a situation that causes the domain controller to struggle or push the limits of AD.
Best Answer
You don't really define your replication topology, which can come into play here. Assuming you have a single site with all DCs in the same LAN, replication won't be your issue. Simply having thousands of groups normally isn't a problem, unless you have severe restrictions on replication (like you do it across the country over two soup cans and a piece of string).
The problem that you may face is that a user's access token can only contain 1024 SIDs. Once the user is a member of about 1000 groups, some SIDs can't be added to the token, which will cause an access failure when trying to use a resource that requires that token.
In short, if you have a user being a member of 1,000 groups you'll have problems. If not, you're fine.
This TechNet article covers the problem pretty well and this Microsoft document explains it in depth (warning: word document direct link).