Access token exceeds the maximum limit

What does this mean and how can I increase the limit?

User is getting access token exceeds the maximum limit. We were removing global groups from AD, but that doesnt' alway fix the problem. Is there a way to increase this limit and if so, where can I do this? In the registry for the local user? What if they go to another computer, is there a way to make this stop happening?
rdrunnaAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
There is a limit of 1015 groups where a user can be part of. I would suggest you take a look at the Microsoft KB Article below which outlines your issue.

Limitations TechNet
https://technet.microsoft.com/en-us/library/active-directory-maximum-limits-scalability(v=ws.10).aspx

Access Token Maximum Limit KB
http://support.microsoft.com/en-us/kb/328889

Will.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
rdrunnaAuthor Commented:
What if there are less than 1015. As well, someone shared with me that this was the message they got:

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters\MaxTokenSize

Can the token size be changed?

It's frustrating....
0
footechCommented:
The token size can be changed, up to a limit.  Here's a KB that shows how you can deploy changes to this registry key.
http://support.microsoft.com/en-us/kb/938118
Without increasing the default token size, the number of groups a user can belong to is much less than 1015.

You might also check out this article.
http://blogs.technet.com/b/ashleymcglone/archive/2011/05/19/using-powershell-to-resolve-token-size-issues-caused-by-sid-history.aspx
It includes a number of good links which describe the problem, and some methods for alleviating it.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Will SzymkowskiSenior Solution ArchitectCommented:
Personally I have not made that change so you might want to make that change in a test environment before implementing it in production.

Will.
0
rdrunnaAuthor Commented:
Hi Footech:

I like your articles; thank you.  On the SID for a single user to find out their history, is there a script that can run locally on their desktop to get the results.

Once we get these results are there steps as to how to clean this up?

I want to try and just do it for this user and if it works, then we can expand.

Thank you in advance for your help.

I also noticed int he blogs.technet article, they mentioned ntdsutil and choose group membership evaluation, can this tool also be used on the local machine?

How do I get this tool? I'm want to make sure I clearly understand where I do this and what the repercussions may be.  Thank you.
0
footechCommented:
Was your domain migrated in the past?  If not you won't have SIDhistory.  For a single user you could just look their properties using a variety of methods - ADUC, ADSI Edit, scripting...  I don't think I see any point in a script that each user would run from their desktop.

Ashley McGlone has a whole series of articles dealing with this (the Technet blog I linked to is just the first one - follow the link at the top of that article to see the rest in the series).  It is much more thorough in the steps than I could be.

This page describes the requirements and usage for running ntdsutil.  You can run it from a desktop if you have the right RSAT tools installed.  Otherwise run it from a domain controller.  Running the commands as instructed just creates a .TSV file which you can view.
https://technet.microsoft.com/en-us/library/cc733025(WS.10).aspx
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.