Access token exceeds the maximum limit

What does this mean and how can I increase the limit?

User is getting access token exceeds the maximum limit. We were removing global groups from AD, but that doesnt' alway fix the problem. Is there a way to increase this limit and if so, where can I do this? In the registry for the local user? What if they go to another computer, is there a way to make this stop happening?
Who is Participating?
Will SzymkowskiSenior Solution ArchitectCommented:
There is a limit of 1015 groups where a user can be part of. I would suggest you take a look at the Microsoft KB Article below which outlines your issue.

Limitations TechNet

Access Token Maximum Limit KB

rdrunnaAuthor Commented:
What if there are less than 1015. As well, someone shared with me that this was the message they got:


Can the token size be changed?

It's frustrating....
The token size can be changed, up to a limit.  Here's a KB that shows how you can deploy changes to this registry key.
Without increasing the default token size, the number of groups a user can belong to is much less than 1015.

You might also check out this article.
It includes a number of good links which describe the problem, and some methods for alleviating it.
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Will SzymkowskiSenior Solution ArchitectCommented:
Personally I have not made that change so you might want to make that change in a test environment before implementing it in production.

rdrunnaAuthor Commented:
Hi Footech:

I like your articles; thank you.  On the SID for a single user to find out their history, is there a script that can run locally on their desktop to get the results.

Once we get these results are there steps as to how to clean this up?

I want to try and just do it for this user and if it works, then we can expand.

Thank you in advance for your help.

I also noticed int he blogs.technet article, they mentioned ntdsutil and choose group membership evaluation, can this tool also be used on the local machine?

How do I get this tool? I'm want to make sure I clearly understand where I do this and what the repercussions may be.  Thank you.
Was your domain migrated in the past?  If not you won't have SIDhistory.  For a single user you could just look their properties using a variety of methods - ADUC, ADSI Edit, scripting...  I don't think I see any point in a script that each user would run from their desktop.

Ashley McGlone has a whole series of articles dealing with this (the Technet blog I linked to is just the first one - follow the link at the top of that article to see the rest in the series).  It is much more thorough in the steps than I could be.

This page describes the requirements and usage for running ntdsutil.  You can run it from a desktop if you have the right RSAT tools installed.  Otherwise run it from a domain controller.  Running the commands as instructed just creates a .TSV file which you can view.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.