Article ID: 271876 - Last Review: March 1, 2007 - Revision: 2.3
Large Numbers of ACEs in ACLs Impair Directory Service Performance
This article was previously published under Q271876
SUMMARY
The performance of Active Directory can be severely impaired by an overly complex access control policy. For maximum performance, you should minimize the number of Active Directory objects to which you assign specific access control lists (ACLs), and minimize the number of entries in each object's access control list.
If you encounter a performance problem with Active Directory after changing permissions, or if you are planning to change permissions on Active Directory, use the following guidelines to design your permission structure to minimize the performance impact. MORE INFORMATION
ACLs on directory service objects allow very granular access control by supporting the following access control features:
Although complex access control is sometimes required to support business security policy, use of complex access control may result in ACLs with very large numbers of permission entries. To illustrate, an individual permission entry is created for each of the following types of permissions:
The cost in computing resources (the hard disk and the CPU) of performing an access check on an object is directly proportional to the number of ACEs in the ACL on that object. Because a search typically must perform access checks against a number of objects, the total cost of access checking during a search rises very quickly with the number of ACEs on each object searched. When the number of ACEs is very large, the performance of access checks may be reduced to an undesirable level. A second, less obvious problem occurs with caching. Parts of the Active Directory database are cached in physical memory. When objects are cached, their security descriptors are cached as well. If the security descriptors on many objects in the database are large, fewer objects will be cached, and overall directory performance may suffer as a result of fewer cache hits. Use the following guidelines, listed in order of importance, to minimize the number of permission entries on a Directory Service object ACL:
Other Best Practices:
|
Other Resources
Other Support Sites
CommunityArticle Translations
|
|