I guess the best questoin to ask at this point is the type of groups the
user is a member of. Not all groups take the same amount of room.
Additionally, there were some changes btwn 2000 RTM and 2003 SP1 that took
place that affected the PAC behavior. It's possible you don't see more of
this because size is important vs the quantity (you'll not hear that very
often, I'll wager ;)
One additional question to ask here: what versions of DC are you running and
at what functional level?
Al
From: Kitchens Arthur E <[EMAIL PROTECTED]>
Reply-To: [email protected]
To: "'[email protected]'" <[email protected]>
Subject: RE: [ActiveDir] Token Bloat
Date: Mon, 14 Nov 2005 10:32:19 -0500
>From the other response I saw from Jorge de Almeida Pinto (thanks!) I'm
thinking that maybe my confusion is stemming from what this really is , a
kereberos ticketing issue, not general access. Is that a correct or
incorrect assumption? We have users that are in an inordinate number of
groups (~213 is the grand prize winner), and sidhistories of various sizes
are involved. We have seen this before, and addressed it by limited
cleaning
of sidhistory. But when we stumbled across these bloated group memberships
(and bloated sidhistories), I expected the associated dysfunction to be
wide
spread. That has not been reported. Also, I cloned the 213 group user and
didn't see any access problems in limited and unscientific testing with the
copy. . I guess my question should have been "why would this not be a
bigger
problem?" We have a number of users who are in 70+ groups (and that's not
even counting the sidhistory contents for those groups, which varies). The
tokenz tool will be useful but I'm sure a bunch of these users are over the
limit already. thanks
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]> ] On Behalf Of Al Mulnick
Sent: Monday, November 14, 2005 10:03 AM
To: [email protected]
Subject: RE: [ActiveDir] Token Bloat
Can you be more specific? Are you asking if the order of the tokens is
FIFO
related to group additions and if so, is it evaluated up to that point when
the token is bloated beyond the maxtokensize?
Is there a reason you would want to know that? I'm thinking that you'd get
unpredictable results to make this worthwhile and you'll be better off
fixing the issue in the first place. Unless this is for some sort of audit
after the fact and you want to prove/disprove when the issue would occur
for
that sake.
There's a utility (name escapes me at the moment) that lets you evaluate
the
token size on a command line. You may be able to setup some quick tests
and
see exactly what happens in this situation. I'll try to remember the name
of the utility if somebody else doesn't chime in with it first.
Al
>From: Kitchens Arthur E <[EMAIL PROTECTED]>
>Reply-To: [email protected]
>To: [email protected]
>Subject: [ActiveDir] Token Bloat
>Date: Mon, 14 Nov 2005 07:59:01 -0500
>
> Might anyone know what actually happens in this situation? Do sids
>in the token up to maxtokensize get evalutated ( is sid order within
>the token determined by sequence of group memberships additions , if
>order even matter)? None of them? Something completely different from
>either of these two scenerios? Thanks in advance.
>
> A. E. Kitchens
>phone 904-301-3578
>fax 904-301-3625
>Atonally DO:RE:MI:FA:SO:LA:TI:DO
>Felis demulcta mitis
>
>
>"Reality is that which, when you stop believing in it, doesn't go away".
> -- Philip K. Dick
List info : http://www.activedir.org/List.aspx
<http://www.activedir.org/List.aspx>
List FAQ : http://www.activedir.org/ListFAQ.aspx
<http://www.activedir.org/ListFAQ.aspx>
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
<http://www.mail-archive.com/activedir%40mail.activedir.org/>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
