<div>
Security groups are also security principals, and therefore are uniquely identified by SIDs. A user security principal can be a member of multiple security groups. Consequently, a user’s access token includes SIDs of all groups to which the user is a member. This is a good read and explanation on your query.
<blockquote>
The token evaluation process evaluates groups’ recursively. For example, if User A is a member of Group 1 and Group 1 is a member of Group 2, then a token generated for User A contains SIDs representing both Group 1 and Group 2. In native mode and higher domains, universal, global, and domain local groups are all evaluated recursively. Universal security groups do not exist in mixed mode domains.....<br />
<br />
Since group membership is evaluated recursively, if a user is transitively a member of a group that is nested at 50 levels, that user is also a member of every other group in that hierarchy. The user is also a member of any groups that those groups are members of.
</blockquote>
 <a href="http://blogs.technet.com/b/surama/archive/2009/04/06/kerberos-authentication-problem-with-active-directory.aspx" rel="ugc">http://blogs.technet.com/b/surama/archive/2009/04/06/kerberos-authentication-problem-with-active-directory.aspx</a><br />
<br />
For info, the nested group is mentioned and included in the count as well based on the MS KB on the token size calculation. e.g. TokenSize = 1200 + 40d + 8s 
<blockquote>
This formula uses the following values:<br />
•d: The number of domain local groups a user is a member of plus the number of universal groups outside the user's account domain that the user is a member of plus the number of groups represented in security ID (SID) history.<br />
•s: The number of security global groups that a user is a member of plus the number of universal groups in a user's account domain that the user is a member of.<br />
•1200: The estimated value for ticket overhead. This value can vary, depending on factors such as DNS domain name length, client name, and other factors.
</blockquote>
 As a whole, the problem as MS advised below on possible condition for such issue. Referring to (b), it again stated the nested group included in calculation. MS has a script for calculation and testing if you are keen to test out.<br />
a) when users migrated from AD to AD domain and the SIDHistory (user’s Security ID or SID) is retained from the prior domain to preserve seamless access to resources for the user.<br />
b) if users are added to many security groups, and made exponentially worse when those groups are nested into other group memberships.<br />
<br />
KB issue (calculation) - <a href="https://support.microsoft.com/en-us/kb/327825" rel="ugc">https://support.microsoft.com/en-us/kb/327825</a><br />
definition of various groups - <a href="https://technet.microsoft.com/en-us/library/cc755692(WS.10).aspx" rel="ugc">https://technet.microsoft.com/en-us/library/cc755692(WS.10).aspx</a><br />
script - <a href="https://gallery.technet.microsoft.com/scriptcenter/Check-for-MaxTokenSize-520e51e5" rel="ugc nofollow">https://gallery.technet.microsoft.com/scriptcenter/Check-for-MaxTokenSize-520e51e5</a>
</div>


<div>
&quot;For example, if User A is a member of Group 1 and Group 1 is a member of Group 2, then a token generated for User A contains SIDs representing both Group 1 and Group 2.&quot;<br />
<br />
Keep in mind my question is about the hard limit of 1015 tokens, not MaxTokenSize.<br />
<br />
So, in the above example, it said &quot;a token&quot;, meaning one token, &quot;generated for User A contains SIDs representing <b>both</b> Group 1 and Group 2&quot;. &nbsp;So, one token to represent all nested groups within that group? &nbsp;That would work for me.
</div>


<div>
Noted I understand the token count as SID count. <a href="https://support.microsoft.com/en-gb/kb/328889" rel="ugc">https://support.microsoft.com/en-gb/kb/328889</a><br />
My understanding is also that nested group had each of unique SID hence it is counted as nit as one but the no of nested group inclusively.
<blockquote>
<br />
<br />
When a user logs on to a Windows 2000 domain, the operating system generates an access token. This access token is used to determine which resources the user may access. The user access token includes the following data:<br />
User SID.<br />
SIDs of all global and universal security groups that the user is a member of.<br />
SIDs of all nested global and universal security groups.<br />
<br />
Every process executed on behalf of this user has a copy of this access token.
</blockquote>
<a href="https://msdn.microsoft.com/en-us/library/windows/desktop/ms676928%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396" rel="ugc">https://msdn.microsoft.com/en-us/library/windows/desktop/ms676928%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396</a>
</div>


<div>
That's a bummer. &nbsp;My firm has many clients and we base our access on who may access which client folders and which service folders within each. &nbsp;These folders have security groups assigned to them. &nbsp;Thus, when an employee is assigned to a certain task for a certain client, that employee is auto-assigned to the appropriate SG through automation and, thus, gains access. &nbsp;This is done this way so that we don't have to keep modifying folders multiple times per day to reassign permissions to multiple employees throughout the day. &nbsp;Worse, the changes to the folders causes backup to think everything needs to be backed up. &nbsp;Not so when using SGs. &nbsp;Now, some employees have access to many folders and may soon exceed the SG count. &nbsp;So, what to do here if I can only use up to 1015 tokens?
</div>


<div>
understand the challenge that you faced. Actually if the user do hit the hard limit no of groups, I believe the token size limit may kicked in first rather than the hard limit group no. May be worth to already identify those potential user (target the VIP and key mgmt. accounts and privileged users) whom going to face this limits.. 
<blockquote>
There is a hard limit to the number of AD groups a user can be a member of. This limit is 1015 groups. If there are more groups, the following error occurs when a user logs on: The system cannot log you on due to the following error: During a logon attempt, the user’s security context accumulated too many security IDs. Please try again or consult your system administrator
</blockquote>
there is PS script to do that<br />
<a href="http://woshub.com/kerberos-token-size-and-issues-of-its-growth/#!prettyPhoto" rel="ugc">http://woshub.com/kerberos-token-size-and-issues-of-its-growth/#!prettyPhoto</a><br />
<a href="http://www.jhouseconsulting.com/2013/12/20/script-to-create-a-kerberos-token-size-report-1041" rel="ugc">http://www.jhouseconsulting.com/2013/12/20/script-to-create-a-kerberos-token-size-report-1041</a><br />
<br />
There is product (&quot;Kerberos Token Size Calculator&quot;) from Golden Finger designed to &nbsp;calculate the Kerberos token size of multiple Active Directory accounts &nbsp;<a href="http://www.paramountdefenses.com/kerberos-token-size-calculator.html" rel="ugc">http://www.paramountdefenses.com/kerberos-token-size-calculator.html</a><br />
<br />
Other than the assessment to identify such users in the domain, besides review how bets not to overlap the SG that will be good but looks like the automation piece may also need to review..am thinking if the SG will be removed or use of claimed based authentication...
<blockquote>
•Dynamic Access Control adds Active Directory Claims to the Ticket. Therefore, calculating the expected ticket sizes is no longer straightforward. The expectation is that tickets that are issued by Windows Server 2012 domain controllers are smaller than the same tickets that are issued from older operating system versions. Claims add to the ticket size. However, after Windows Server 2012 file servers are using claims broadly, you can expect to phase out a significant number of your groups that control file access to trim ticket sizes.
</blockquote>
<a href="https://support.microsoft.com/en-us/kb/327825" rel="ugc">https://support.microsoft.com/en-us/kb/327825</a>
</div>


<div>
OK, so what is the alternative if we need to manage more than 1015 security groups?
</div>


<div>
I do not think there is a straight answer as a stop gap but need to address from the review of creating those groups. Role based approach may be considered. Here is one good sharing in striking that balance <br />
<br />
<a href="http://www.itadmintools.com/2011/09/avoiding-token-bloat-in-your-active.html" rel="ugc">http://www.itadmintools.com/2011/09/avoiding-token-bloat-in-your-active.html</a><br />
<br />
..but the nested group has no good solution though..<a href="http://www.itadmintools.com/2011/09/avoiding-token-bloat-in-your-active_30.html" rel="ugc">http://www.itadmintools.com/2011/09/avoiding-token-bloat-in-your-active_30.html</a>
</div>


<div>
Role-based approach isn't going to work for my scenario. &nbsp;I guess there is no real Microsoft Windows solution for this scenario. &nbsp;I'll have to re-think how to handle users needing the largest amount of clients at once, which changes dynamically throughout the day. &nbsp;Thanks!
</div>


<div>
Accepted as closing comment since there is no Microsoft-based solution to meet the need of massive amount of security groups.
</div>


<div>
<div class="content wysiwyg-content">
One of our users have 500-600 security groups applied to him. &nbsp;When he tries to log into our Citrix system, he gets an &quot;access denied&quot; error. &nbsp;The problem turns out to be due to a limit on the default MaxTokenSize within Microsoft Windows Server 2008 R2. &nbsp;This article explains how to adjust MaxTokenSize to 48000 (not 65535 as previously recommended):<br />
<br />
<a href="http://blogs.technet.com/b/shanecothran/archive/2010/07/16/maxtokensize-and-kerberos-token-bloat.aspx" rel="ugc">http://blogs.technet.com/b/shanecothran/archive/2010/07/16/maxtokensize-and-kerberos-token-bloat.aspx</a><br />
<br />
I did notice that it said Microsoft has hardcoded a limit of 1015 groups that a member can have. &nbsp;I do have a question, though, thus, the reason for this post: &nbsp;Does nested memberships count? &nbsp;For example, say I have this structure:<br />
<br />
SG for Group A<br />
&nbsp; &nbsp;Member of SG for Client A<br />
&nbsp; &nbsp;Member of SG for Client B<br />
&nbsp; &nbsp;Member of SG for Client C<br />
<br />
User XYZ then becomes a member of SG for Group A. &nbsp;For User XYZ, would that count as 1 SG or 4, i.e., including nested groups?<br />
<br />
Otherwise, I need to control access in a different way if I can't use more than 1015 SGs. &nbsp;Please advise.<br />
<br />
Regards,<br />
<br />
John Babbitt<br />
Systems Administrator<br />
Ashland Support Group
</div>
</div>


One of our users have 500-600 security groups applied to him.  When he tries to log into our Citrix system, he gets an "access denied" error.  The problem turns out to be due to a limit on the default MaxTokenSize within Microsoft Windows Server 2008 R2.  This article explains how to adjust MaxTokenSize to 48000 (not 65535 as previously recommended):

http://blogs.technet.com/b/shanecothran/archive/2010/07/16/maxtokensize-and-kerberos-token-bloat.aspx

I did notice that it said Microsoft has hardcoded a limit of 1015 groups that a member can have.  I do have a question, though, thus, the reason for this post:  Does nested memberships count?  For example, say I have this structure:

SG for Group A
   Member of SG for Client A
   Member of SG for Client B
   Member of SG for Client C

User XYZ then becomes a member of SG for Group A.  For User XYZ, would that count as 1 SG or 4, i.e., including nested groups?

Otherwise, I need to control access in a different way if I can't use more than 1015 SGs.  Please advise.

Regards,

John Babbitt
Systems Administrator
Ashland Support Group

Kerberos MaxTokenSize and Security Groups

Windows Server 2008 and Windows Server 2008 R2, based on the Microsoft Vista codebase, is the last 32-bit server operating system released by Microsoft. It has a number of versions, including including Foundation, Standard, Enterprise, Datacenter, Web, HPC Server, Itanium and Storage; new features included server core installation and Hyper-V.

Windows Server 2008

The Microsoft Server topic includes all of the legacy versions of the operating system, including the Windows NT 3.1, NT 3.5, NT 4.0 and Windows 2000 and Windows Home Server versions.