Windows Tip Sheet

The Group that Broke the Camel’s Back

Belonging to too many domain user groups may actually prevent you from logging on.

• By Don Jones
• 01/25/2006

As you know, part of the logon process is generating a security token, which contains your user account’s security identifier (SID), as well as the SIDs for any groups you belong to. So whenever logon problems start to occur, I like to look at the token and see how it’s working. The Tokensz tool is perfect for this, so the next time his logon worked, I had him run it on his WinXP box.

Turns out my buddy’s user account is in a lot of domain user groups. A lot. Running Tokensz /compute_tokensize showed a token size of 11943, and the max is 12000. “Why so many groups?” I asked. Well, his company has a lot of groups, and whenever he created a new one, he put himself in it to test security access and stuff. Sometimes he’d remember to take himself back out of the group, but not always. When the number of groups he belonged to got too high (we put the number at about 80, but it depends on a lot of things), his token would get too large and he’d start having logon issues. Drop some groups, and all was well.

Nested group membership is worse, because it’s not apparent in the GUI how many groups you actually belong to, although each one’s SID goes into your token. Running Tokensz is the only real way to see your token and how large it’s growing. Once that 12,000-byte limit is passed (the byte limit, by the way, is the size of the buffer Kerberos uses to store pre-allocated certificates), problems begin. Some research turned up 70-120 as the range when problems begin to occur; keep your group membership under that level and you’ll be fine.