We help IT Professionals succeed at work.
Get Started

Kerberos MaxTokenSize and Security Groups

Last Modified: 2016-02-24
One of our users have 500-600 security groups applied to him.  When he tries to log into our Citrix system, he gets an "access denied" error.  The problem turns out to be due to a limit on the default MaxTokenSize within Microsoft Windows Server 2008 R2.  This article explains how to adjust MaxTokenSize to 48000 (not 65535 as previously recommended):


I did notice that it said Microsoft has hardcoded a limit of 1015 groups that a member can have.  I do have a question, though, thus, the reason for this post:  Does nested memberships count?  For example, say I have this structure:

SG for Group A
   Member of SG for Client A
   Member of SG for Client B
   Member of SG for Client C

User XYZ then becomes a member of SG for Group A.  For User XYZ, would that count as 1 SG or 4, i.e., including nested groups?

Otherwise, I need to control access in a different way if I can't use more than 1015 SGs.  Please advise.


John Babbitt
Systems Administrator
Ashland Support Group
Watch Question
Exec Consultant
Distinguished Expert 2019
This problem has been solved!
Unlock 1 Answer and 11 Comments.
See Answer
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE