Update 17/8: apparently my explanation was not that clear so I added some extra details
An important thing to remember is the fact that SharePoint scales through the use of site collections. So if you have a fairly large implementation of SharePoint you will be typically using multiple site collections.
One of the things which has caused some serious problems in the past – but is not that clearly documented is the 2000 security prinicipals limit per site collection.
If you read through Plan for software boundaries – you see this
|Security principal|| |
Approximately 2,000 per ACL (Access Control List) on any securable object (scope)
The total size of the ACL on scopes can be no larger than 64kb. Because each security principal is approximately 32 bytes in size, there can be no more than approximately 2,000 security principals or less for each scope. If this limit is reached, indexing of items in that scope, and all items below that scope, to fail.
Also, because SharePoint Groups are expanded during the indexing process, having more than 2,000 users or Directory Groups in a SharePoint group and using that group for securing scopes may cause indexing of items secured with these groups, and all items below them, to fail.
The scope they are talking about is according to me - site collection level. Every time you secure something in a site collection – meaning you assign a security principal (for developers –a SPPrincipal object) with it’s permissions set to a site, or a specific library/list or even to an individual document/item, an entry is added to a list of security principlas at site collection level. It is this list of security principals which has a limit of 2000 entries.
So no troubles if you are using 40 distinct Active Directory groups all over the places to assign security in thousands of individual documents – but when you are using more then 2000 individual users which are assigned a permission directly in one or more places within a site collection – you will get into trouble. There is no problem with Active Directory groups who contain thousands of individual AD users since they are not expanded.
The article only states problems when crawling but I also noticed some performance issues on SQL Server level where we needed to put in some extra processing power.