I like to think of the initial setting for token size as a way of saying "You really need to get your security model under control or fix this user's group memberships". At 12k, you shouldn't really be pushing the limit until you're around 250 groups for a user. Bumping up to a larger token size is fine to fix your short-term issue, but ends up with users being members of potentially excessive (and possibly unnecessary) groups. It's one of those squeaky wheel things, where if it don't squeak, nobody's going to think about it. I'd recommend that in most situations you shouldn't modify the setting, simply so that your group memberships don't get out of hand, but if you find it's necessary, you should modify it in small increments (16k, then 20k....), every 4k should allow you to fit into another 80 groups or so.
Another good reason to limit the amount that you let your tokens grow is that Exchange on 32-bit OS will use several tokens per user and there is only around 150MB available (give or take) available in Paged Pool memory for tokens. Once you break that limit, you end up with your servers crashing. If you are running 12k tokens, you're cutting your maximum user count per Exchange server to a third of what you could fit on the server at 4k tokens (not counting other issues that would limit the Exchange server). Toss in other applications that leverage Exchange (instant messaging, some voicemail systems, blackberry type services, etc...) and your users are using 6-10 tokens and they're 12k per user... potentially cutting your user count on an Exchange server down to 1500-2000 per server before things start getting ugly. Keep your token sizes (and security group memberships) under control and you should be able to keep the Exchange user count per server up closer to 4k+.
Also, there is an absolute number of SIDs that a user token can handle before the userID will break (which isn't pretty), regardless of whether they're security groups or distribution list groups.
Read the following:
(token SID limitation)
http://www.microsoft.com/downloads/details.aspx?FamilyID=22dd9251-0781-42e6-9346-89d577a3e74a&DisplayLang=en
(Exchange issues with token size and paged pool memory)
http://support.microsoft.com/kb/912376
(good article about Exchange related token information)
http://msexchangeteam.com/archive/2005/12/07/415733.aspx
Matt
You might also want to review this interesting white paper:(that took me ages to find so please read it ;-)--Paul----- Original Message -----From: Kurt FaldeSent: Tuesday, July 11, 2006 2:24 AMSubject: RE: [ActiveDir] Kerberos MaxTokenSize and too many groups issuesTokensz
Kurt Falde
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Freddy HARTONO
Sent: Monday, July 10, 2006 9:16 PM
To: [email protected]
Subject: [ActiveDir] Kerberos MaxTokenSize and too many groups issues
Hi all
Have a badly designed applications which is tapping on AD memberships for its grouping rights and user memberships to define their roles and permissions and today found out that one of the user is unable to access the application, but standard logon access to exchange mailbox etc are working fine.
Digging further im seeing quite a few errors on eventlog (details below) - then did a registry key of MaxTokenSize as below and everything seems to works fine. Also prior to this, running gpresult on the machine doesn't give any result at all.
Question - I was under the assumptions that this applies to Win 2000 only, not xp or 2003, but apparently this does? Also if I remembered correctly there's a command or tool to calculate the tokensize of a user anybody has that tool again pls?
MaxTokenSize regkey
http://support.microsoft.com/?id=263693Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1000
Date: 7/7/2006
Time: 5:07:09 AM
User: NT AUTHORITY\SYSTEM
Computer: XXXXXXXXXX
Description:
Windows cannot determine the user or computer name. Return value (14).Thank you and have a splendid day!
Kind Regards,
Freddy Hartono
Group Support Engineer
InternationalSOS Pte Ltd
mail: [EMAIL PROTECTED]
phone: (+65) 6330-9785
