Log-ons do not work, permissions do not take effect and group policies can not be applied.
The reason could be that the user has memberships in too many Active Directory groups.
You may try to incease the MaxTokenSize to fix this issue.
Too many group memberships?
Maybe it doesn’t look like it at first sight.
But if you count the number of groups, please consider that there can be more than just the direct memberships.
Having too many group memberships can be the reason why applying a new group membership not working.
Please take care of all of group memberships meaning:
- direct group memberships
- nested group memberships
- memberships resulting from the attribute SIDHistory
MaxTokenSize too small?
If the user is a member of several hundred groups, you should increase the MaxTokenSize.
The number can be set manually via Registrykey or via group-guideline on the user’s systems.
HK_Local_Machine\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters\MaxTokenSize DWORD Value: 48000 Decimal
Because of the HTTP Base64 encoding with Windows 2012 systems a number of 48,000 max is recommended.
The maximum size is 65535 bytes.
A user can be included in 1,015 groups + 9 BuiltIn-groups = 1,024 max.
The current number can be found out with the help of a Microsoft tool called tokensz.exe:
Current PackageInfo->MaxToken: 12000 (default value with Windows 7)
MaxToken (complete context) xxxx (current number on your system)
Calculation of the token size
(from Microsoft KB 327825)
TokenSize = 1200 + 40d + 8s
- d: The number of domain local groups a user is a member of plus the number of universal groups outside the user’s account domain
plus the number of groups represented in security ID (SID) history.
- s: The number of security global groups that a user is a member of plus the number of universal groups in a user’s account domain.
- 1200: The estimated value for ticket overhead. This value can vary depending on factors such as DNS domain name length, client name, and other factors.