I'm hoping someone can shed some light on this. The background....
A while ago some admins had problems joining servers to an AD domain. The error was: "The Parameter is incorrect" We narrowed it down to the fact that the admins with problems had a large number of nested group memberships (400+). If we removed the group memberships the admin could join the server to the domain with no problem. We opened a call with Microsoft PSS, who advised us to install the hotfix mentioned in http://support.microsoft.com/default.aspx?scid=kb;[LN];327825 We duly installed the hotfix an all DCs. Now it seems we have the problem again, albeit intermittently. We re-opened the case with PSS and they have advised us that the problem is due to the accumulation of too many SIDs in the access token (http://support.microsoft.com/default.aspx?scid=kb;[LN];275266). There is no workaround apparently, this is behaviour by design. The problem I have with this is that, even with nesting, the "problem" accounts are members far few than the 1000 groups mentioned in the KB article. This is still open with PSS. Obviously, we have a workaround to the problem, but it is frustrating not knowing the true cause behind the issue. The only thing we know is that it has "something" to do with the size of the access token, but no real detail. Anyone come across the same (or similar) problem? Any pointers? Tony List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
