Active Directory object size error 0x00002070 fix

1. Group membership bloat — the most common culprit

Had a client last month whose entire print queue died because of this error. Their security group for the accounting department had 5,300 members. Active Directory has a hard limit — a single group can't have more than roughly 5,000 members in a single attribute fetch. But the real limit is on the member attribute total size: 1 MB. With each SID and DN eating around 100–200 bytes, you hit the wall around 5,000–15,000 members depending on name lengths.

This error 0x00002070 pops up when you try to add another member, or when replication tries to sync that group. The event log usually shows NTDS or Directory Service warnings.

How to fix it

1. Identify the bloated group. Run this in PowerShell as Domain Admin:

   Get-ADGroup -Filter * -Properties member | Where-Object {$_.member.Count -gt 4000} | Select Name, @{N='MemberCount';E={$_.member.Count}}

2. Break up the group. Create multiple nested groups. Example: instead of one "All Sales" group, make "Sales East" (1,200 members), "Sales West" (1,500), "Sales Central" (800). Then create a universal group "All Sales" that contains those three. This spreads the member attribute across multiple objects.
3. Move static members to a distribution group. If the group doesn't need security permissions, convert it to a distribution group. Those don't have the same replication load — though the attribute size limit still applies.
4. Use a linked group policy instead of direct membership. For things like printer permissions, create a group and add it to the GPO security filtering, then nest your big group inside. The GPO itself references the group by SID, not by member list.

Quick test: After breaking up the group, try adding a member to the original group. If the error is gone, you've nailed it.

2. Corrupted or oversized attribute values

Sometimes it's not the member count — it's one crazy attribute. I've seen a case where a user's thumbnailPhoto attribute had a 12 MB JPEG stuck in it. Active Directory objects have a per-attribute size limit of about 1 MB for most attributes. Some, like msExchMailboxSecurityDescriptor, can get bloated after many permission changes.

This error triggers when you try to replicate that object to another DC. The source DC tries to send 12 MB of photo data, the destination DC says "nope, that's over the limit."

How to find and fix oversized attributes

1. Identify the object. Look for replication failure events (source: NTDS KCC, event ID 1864 or 1988). They'll tell you the object GUID.
2. Use ADSI Edit to browse to that object. Right-click → Properties → Filter by attribute that's likely oversized. Sort by size (ADSI Edit doesn't show size directly, so you'll need to use PowerShell).
3. PowerShell attribute size check:

   $obj = Get-ADUser -Identity 'username' -Properties *
   $obj.PSObject.Properties | Where-Object {$_.Value -is [byte[]]} | Select Name, @{N='SizeKB';E={[math]::Round($_.Value.Length/1KB,2)}} | Sort SizeKB -Descending | Where SizeKB -gt 100

4. Clear or shrink the attribute. If it's a photo, delete it and re-add a compressed JPEG under 500 KB. If it's a security descriptor, you might need to reset permissions on the object. Use ADSI Edit to edit the attribute directly — but be careful. One wrong move and you'll break Exchange or something.

If you can't identify the object, enable diagnostic logging for LDAP queries. Set HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics\15 Field Engineering to 5. Reproduce the error, then check the Directory Service log.

3. Group Policy Object (GPO) size exceeded

This one's sneaky. The error might say "object" — but it's really the GPO's internal storage. A GPO is stored as an object in the GPT (Group Policy Template) in SYSVOL, plus an object in Active Directory. The AD part can't exceed 1 MB either. If your GPO has hundreds of registry settings, preferences, or scripts, it can blow past that.

Had a client where a single GPO contained 800 registry preference items — blocking USB drives, disabling auto-run, the works. When they tried to edit it, boom — the error.

How to fix GPO size issues

1. Check GPO size. On a Domain Controller, run:

   Get-GPO -All | Select DisplayName, @{N='ADSizeKB';E={[math]::Round(($_.GpoStatus -ne 'AllSettingsDisabled' ? 1 : 0) * 100 + $_.User.PSObject.Properties.Count * 0.5 + $_.Computer.PSObject.Properties.Count * 0.5, 2)}} | Sort ADSizeKB -Descending

   Better yet, use the GPResult HTML report — it shows which GPOs are large.
2. Split the GPO. Break the monster into multiple GPOs by function. Put registry settings in one GPO, security settings in another, scripts in a third. This keeps each under the size limit.
3. Use ADM/ADMX templates wisely. Instead of 50 individual registry items, create a single administrative template policy file. That compresses down to one blob.
4. Delete unused policy entries. Open the GPO in Group Policy Management Editor. Go through Computer Configuration > Preferences > Registry — clean out anything that's stale or no longer needed.

Rule of thumb: If your GPO has more than 200 preference items, it's time to split. The error usually kicks in around 400–500 items depending on the data.

Quick-reference summary

Most of the time, it's the group membership. Check that first. If you're still stuck after trying these, check the msExchMailboxSecurityDescriptor attribute on mail-enabled objects — that's a common hidden bloat source in Exchange environments.