At least. If you have multiple sids in the token history you could use
even more space. Say the case that you moved a group between domains
multiple times, you would have a SID for every move + the final domain
sid which was current. 

  Joe
 

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad
Sent: Wednesday, August 27, 2003 8:10 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Problems with too many nested group memberships


By extension, if you're got nested groups that carry SID-history
baggage, does that mean that you're further limited? In other words, a
nested group pair, where both groups have SID history defined, takes 4
token slots?

Roger
--------------------------------------------------------------
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.


> -----Original Message-----
> From: GRILLENMEIER,GUIDO (HP-Germany,ex1)
> [mailto:[EMAIL PROTECTED] 
> Sent: Wednesday, August 27, 2003 7:41 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Problems with too many nested group 
> memberships
> 
> 
> Tony, I believe that the 1000 SID limit is only relevant for NTLM 
> authentication - the Kerberos ticket excepts a far smaller number of 
> SIDs in the Token by default (roughly 120).
> 
> With the number of group-memberships that you have (likely
> more than 120),
> it sounds like you'll have to increase the MaxTokenSize value in your
> environment (even after applying the fix
> http://support.microsoft.com/default.aspx?scid=kb;[LN];327825) 
> 
> As you'll be authenticated via Kerberos on the Server you're
> trying to join
> to AD at the time of joining it, I'd try to change the in the 
> MaxTokenSize
> value in the registry on the server itself PRIOR to joining it to AD.
> 
> Also - have the groups which the user is a mebmer of been
> migrated with
> SID-History?  In this case you'll have 2 SIDs per group which further
> decreases the number of "real" groups your Kerberos ticket 
> will be able to
> accept by default to approx. 60.
> 
> /Guido
> 
> -----Original Message-----
> From: Tony Murray [mailto:[EMAIL PROTECTED]
> Sent: Dienstag, 26. August 2003 16:16
> To: [EMAIL PROTECTED]
> Subject: [ActiveDir] Problems with too many nested group memberships
> 
> I'm hoping someone can shed some light on this.
> 
> The background....
> 
> A while ago some admins had problems joining servers to an AD
> domain.  The
> error was:
> 
> "The Parameter is incorrect"
> 
> We narrowed it down to the fact that the admins with problems
> had a large
> number of nested group memberships (400+).  If we removed the group
> memberships the admin could join the server to the domain 
> with no problem.
> We opened a call with Microsoft PSS, who advised us to 
> install the hotfix
> mentioned in 
> http://support.microsoft.com/default.aspx?scid=kb;[LN];327825
> 
> We duly installed the hotfix an all DCs.  Now it seems we
> have the problem
> again, albeit intermittently.  We re-opened the case with PSS 
> and they have
> advised us that the problem is due to the accumulation of too 
> many SIDs in
> the access token
> (http://support.microsoft.com/default.aspx?scid=kb;[LN];275266
).  There is
no workaround apparently, this is behaviour by design.  

The problem I have with this is that, even with nesting, the "problem"
accounts are members far few than the 1000 groups mentioned in the KB
article.  This is still open with PSS.

Obviously, we have a workaround to the problem, but it is frustrating
not knowing the true cause behind the issue.  The only thing we know is
that it has "something" to do with the size of the access token, but no
real detail.

Anyone come across the same (or similar) problem?  Any pointers?

Tony
List info   : http://www.activedir.org/mail_list.htm
List FAQ    : http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ    : http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ    : http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ    : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Reply via email to