Brad, did you happen to catch this part of the kb? MORE INFORMATION
Previously, if users experienced this problem, you had to adjust the Kerberos MaxTokenSize value to resume operations. To resolve this problem, you had to update this value on all domain workstations. If you use the hotfix that is described in this article, you do not have to modify the MaxTokenSize registry value in most cases. However, there are some scenarios in which you have to modify the MaxTokenSize registry value after you apply this hotfix. After you apply this hotfix to all the domain controllers, use the following formula to determine whether you have to modify the MaxTokenSize value: TokenSize = 1200 + 40d + 8s This formula uses the following values: * d: The number of domain local groups a user is a member of plus the number of universal groups outside the user's account domain plus the number of groups represented in security ID (SID) history. * s: The number of security global groups that a user is a member of plus the number of universal groups in a user's account domain. * 1200: The estimated value for ticket overhead. This value can vary depending on factors such as DNS domain name length, client name, and other factors. In scenarios in which delegation is used (for example, when users authenticate to a domain controller), Microsoft recommends that you double the token size. If the token size that you calculate by using this formula is less than 12,000 bytes (the default size), you do not have to modify the MaxTokenSize registry value on domain clients. If the value is more than 12,000 bytes, see the following Microsoft Knowledge Base article for a description of how to adjust the MaxTokenSize registry value: Saying that, it's likely that if you're having this problem you may want to consider changing your group strategy. To reach that, you'd have to be a member of a lot of groups and there may be a better and more usable way to structure group membership. Does that help or do you need to search each SID and figure out if it's going to have problems by looking at the length? Al ________________________________ From: [EMAIL PROTECTED] on behalf of Smith, Brad Sent: Fri 8/19/2005 8:28 AM To: [email protected] Subject: [ActiveDir] User SIDs... Hello All, Does anyone know the default length a users SID (Win2K DC's, WinXP SP2clients ) can be before problems such as http://support.microsoft.com/?kbid=327825 <http://support.microsoft.com/?kbid=327825> start occuring ? Also, there anyway to determine the actual length of a users SID??? TIA, Brad This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
<<winmail.dat>>
