RE: [ActiveDir] User SIDs...

Fri, 19 Aug 2005 06:18:49 -0700

Title: [ActiveDir] User SIDs...
Al, thanks for that, I hadn't caught that bit of the article and have approprialtely chastised myself.  The reason I missed it is because I jumped to the end of the article to see if it applies to Windows XP.  It applies to Win2k, which we have for DC's, but not for XP, which is what the client is running. The line under "More Information" reads
 
"Previously, if users experienced this problem, you had to adjust the Kerberos MaxTokenSize value to resume operations. To resolve this problem, you had to update this value on all domain workstations"
 
which leads me to believe that this hotfix is workstation specific.  Also FYI, the user is in 46 groups only, as is reported by a basic gpresult query that I calculate to incude nested groups.

From: Al Mulnick [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: 19 August 2005 14:06
To: [email protected]
Subject: RE: [ActiveDir] User SIDs...

Brad, did you happen to catch this part of the kb?
 

MORE INFORMATION

Previously, if users experienced this problem, you had to adjust the Kerberos MaxTokenSize value to resume operations. To resolve this problem, you had to update this value on all domain workstations.

If you use the hotfix that is described in this article, you do not have to modify the MaxTokenSize registry value in most cases. However, there are some scenarios in which you have to modify the MaxTokenSize registry value after you apply this hotfix. After you apply this hotfix to all the domain controllers, use the following formula to determine whether you have to modify the MaxTokenSize value:
TokenSize = 1200 + 40d + 8s
This formula uses the following values:
d: The number of domain local groups a user is a member of plus the number of universal groups outside the user's account domain plus the number of groups represented in security ID (SID) history.
s: The number of security global groups that a user is a member of plus the number of universal groups in a user's account domain.
1200: The estimated value for ticket overhead. This value can vary depending on factors such as DNS domain name length, client name, and other factors.
In scenarios in which delegation is used (for example, when users authenticate to a domain controller), Microsoft recommends that you double the token size.

If the token size that you calculate by using this formula is less than 12,000 bytes (the default size), you do not have to modify the MaxTokenSize registry value on domain clients. If the value is more than 12,000 bytes, see the following Microsoft Knowledge Base article for a description of how to adjust the MaxTokenSize registry value:

Saying that, it's likely that if you're having this problem you may want to consider changing your group strategy.  To reach that, you'd have to be a member of a lot of groups and there may be a better and more usable way to structure group membership.
 
Does that help or do you need to search each SID and figure out if it's going to have problems by looking at the length?
 
Al
 
 

From: [EMAIL PROTECTED] on behalf of Smith, Brad
Sent: Fri 8/19/2005 8:28 AM
To: [email protected]
Subject: [ActiveDir] User SIDs...

Hello All,

Does anyone know the default length a users SID (Win2K DC's, WinXP
SP2clients ) can be before problems such as
http://support.microsoft.com/?kbid=327825
<http://support.microsoft.com/?kbid=327825>  start occuring ?  Also, there
anyway to determine the actual length of a users SID???

TIA,

Brad


This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding.
List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

This message has been scanned for viruses by MailControl - (see http://bluepages.wsatkins.co.uk/?4318150)

Reply via email to