Break group membership ceilings in Windows 2000 Active Directory

Learn to work around the strange limitations domain controllers impose on groups in Windows 2000 Server.

A fresh install of a Windows 2000 domain controller imposes a strange limitation on the number of groups in which a user account can be a member. The limitation is about 70 groups. This happens because of the way Microsoft employed an empty field in a Kerberos token. The overall size of the Kerberos token is 12,000 bits, and because of the space allocation to list user-group memberships it becomes full once about 70 groups are used....

When this allocation becomes full it causes an error in the Kerberos token processing, which can give you two problems. First, the user account may not be authenticated at all, and thus not be allowed into the domain. Second, even if authentication occurs, no GPOs will be applied. This is what is known as a bad thing.

Fortunately, there are a few solutions. The first is to limit the number of groups to which any single user account can belong. Limit the total number of group memberships to 60, including nested groups; even the SIDs of parent groups are included in the Kerberos token.

The second solution is to apply Service Pack 2 (no separate hot fix was released). A Registry entry, MaxTokenSize, is added to expand the maximum size of the Kerberos token. It lives in the System\CurrentControlSet\Control\Lsa\Kerberos\Parameters key. SP2 sets the value of MaxTokenSize to 100000 (decimal). This effectively expands the maximum number of groups a single user can be a member of to roughly 200.

This won't work in some of the environments I've seen where 200+ group memberships were common. If you find that this limitation is still too restrictive, you can increase the value of MaxTokenSize. However, there is a limit to how large you can expand the Kerberos token size before other side effects start occurring. When the token size is too large for your specific environment, you'll start to notice that various DC functions begin failing, services encounter domain errors, users may not be authenticated, etc. The point at which these problems start occurring is unique to every environment and is based on the overall capability of the DCs to handle and process large packets (thus it is dependant upon system resources such as processing capability, memory, and caching).

For more info on this issue, see the Knowledge Base article Q263693.

James Michael Stewart is a partner and researcher for Itinfopros, a technology-focused writing and training organization.

This was first published in November 2003

Dig deeper on Microsoft Active Directory Design and Administration



Enjoy the benefits of Pro+ membership, learn more and join.



Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: