One of our users have 500-600 security groups applied to him. When he tries to log into our Citrix system, he gets an "access denied" error. The problem turns out to be due to a limit on the default MaxTokenSize within Microsoft Windows Server 2008 R2. This article explains how to adjust MaxTokenSize to 48000 (not 65535 as previously recommended):
I did notice that it said Microsoft has hardcoded a limit of 1015 groups that a member can have. I do have a question, though, thus, the reason for this post: Does nested memberships count? For example, say I have this structure:
SG for Group A
Member of SG for Client A
Member of SG for Client B
Member of SG for Client C
User XYZ then becomes a member of SG for Group A. For User XYZ, would that count as 1 SG or 4, i.e., including nested groups?
Otherwise, I need to control access in a different way if I can't use more than 1015 SGs. Please advise.
Ashland Support Group