A fresh install of a Windows 2000 domain controller imposes a strange limitation on the number of groups in which a user account can be a member. The limitation is about 70 groups. This happens because of the way Microsoft employed an empty field in a Kerberos token. The overall size of the Kerberos token is 12,000 bits, and because of the space allocation to list user-group memberships it becomes full once about 70 groups are used. When this allocation becomes full it causes an error in the Kerberos token processing, which can give you two problems. First, the user account may not be authenticated at all, and thus not be allowed into the domain. Second, even if authentication occurs, no GPOs will be applied. This is what is known as a bad thing.
Fortunately, there are a few solutions. The first is to limit the number of groups to which any single user account can belong. Limit the total number of group memberships to 60, including nested groups; even the SIDs of parent groups are included in the Kerberos token.
The second solution is to apply Service Pack 2 (no separate hot fix was released). A Registry entry, MaxTokenSize, is added to expand the maximum size of the Kerberos token. It lives in the System\CurrentControlSet\Control\Lsa\Kerberos\Parameters key. SP2 sets the value of MaxTokenSize to 100000 (decimal). This effectively expands the maximum number of groups a single user can be a member of to roughly 200.
This won't work
For more info on this issue, see the Knowledge Base article Q263693.
James Michael Stewart is a partner and researcher for Itinfopros, a technology-focused writing and training organization.
This was first published in November 2003