Access token exceeds the maximum limit

What does this mean and how can I increase the limit?

User is getting access token exceeds the maximum limit. We were removing global groups from AD, but that doesnt' alway fix the problem. Is there a way to increase this limit and if so, where can I do this? In the registry for the local user? What if they go to another computer, is there a way to make this stop happening?
rdrunnaAsked:
Who is Participating?
 
Will SzymkowskiSenior Solution ArchitectCommented:
There is a limit of 1015 groups where a user can be part of. I would suggest you take a look at the Microsoft KB Article below which outlines your issue.

Limitations TechNet
https://technet.microsoft.com/en-us/library/active-directory-maximum-limits-scalability(v=ws.10).aspx

Access Token Maximum Limit KB
http://support.microsoft.com/en-us/kb/328889

Will.
0
 
rdrunnaAuthor Commented:
What if there are less than 1015. As well, someone shared with me that this was the message they got:

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters\MaxTokenSize

Can the token size be changed?

It's frustrating....
0
 
footechCommented:
The token size can be changed, up to a limit.  Here's a KB that shows how you can deploy changes to this registry key.
http://support.microsoft.com/en-us/kb/938118
Without increasing the default token size, the number of groups a user can belong to is much less than 1015.

You might also check out this article.
http://blogs.technet.com/b/ashleymcglone/archive/2011/05/19/using-powershell-to-resolve-token-size-issues-caused-by-sid-history.aspx
It includes a number of good links which describe the problem, and some methods for alleviating it.
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
Will SzymkowskiSenior Solution ArchitectCommented:
Personally I have not made that change so you might want to make that change in a test environment before implementing it in production.

Will.
0
 
rdrunnaAuthor Commented:
Hi Footech:

I like your articles; thank you.  On the SID for a single user to find out their history, is there a script that can run locally on their desktop to get the results.

Once we get these results are there steps as to how to clean this up?

I want to try and just do it for this user and if it works, then we can expand.

Thank you in advance for your help.

I also noticed int he blogs.technet article, they mentioned ntdsutil and choose group membership evaluation, can this tool also be used on the local machine?

How do I get this tool? I'm want to make sure I clearly understand where I do this and what the repercussions may be.  Thank you.
0
 
footechCommented:
Was your domain migrated in the past?  If not you won't have SIDhistory.  For a single user you could just look their properties using a variety of methods - ADUC, ADSI Edit, scripting...  I don't think I see any point in a script that each user would run from their desktop.

Ashley McGlone has a whole series of articles dealing with this (the Technet blog I linked to is just the first one - follow the link at the top of that article to see the rest in the series).  It is much more thorough in the steps than I could be.

This page describes the requirements and usage for running ntdsutil.  You can run it from a desktop if you have the right RSAT tools installed.  Otherwise run it from a domain controller.  Running the commands as instructed just creates a .TSV file which you can view.
https://technet.microsoft.com/en-us/library/cc733025(WS.10).aspx
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.