A fresh install of a Windows 2000 domain controller imposes a strange limitation on the number of groups in which...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
a user account can be a member. The limitation is about 70 groups. This happens because of the way Microsoft employed an empty field in a Kerberos token. The overall size of the Kerberos token is 12,000 bits, and because of the space allocation to list user-group memberships it becomes full once about 70 groups are used. When this allocation becomes full it causes an error in the Kerberos token processing, which can give you two problems. First, the user account may not be authenticated at all, and thus not be allowed into the domain. Second, even if authentication occurs, no GPOs will be applied. This is what is known as a bad thing.
Fortunately, there are a few solutions. The first is to limit the number of groups to which any single user account can belong. Limit the total number of group memberships to 60, including nested groups; even the SIDs of parent groups are included in the Kerberos token.
The second solution is to apply Service Pack 2 (no separate hot fix was released). A Registry entry, MaxTokenSize, is added to expand the maximum size of the Kerberos token. It lives in the System\CurrentControlSet\Control\Lsa\Kerberos\Parameters key. SP2 sets the value of MaxTokenSize to 100000 (decimal). This effectively expands the maximum number of groups a single user can be a member of to roughly 200.
This won't work in some of the environments I've seen where 200+ group memberships were common. If you find that this limitation is still too restrictive, you can increase the value of MaxTokenSize. However, there is a limit to how large you can expand the Kerberos token size before other side effects start occurring. When the token size is too large for your specific environment, you'll start to notice that various DC functions begin failing, services encounter domain errors, users may not be authenticated, etc. The point at which these problems start occurring is unique to every environment and is based on the overall capability of the DCs to handle and process large packets (thus it is dependant upon system resources such as processing capability, memory, and caching).
For more info on this issue, see the Knowledge Base article Q263693.
James Michael Stewart is a partner and researcher for Itinfopros, a technology-focused writing and training organization.