I have a few questions I was wondering if someone could point me in the direction. My organization has a fairly large Active Directory structure in place and we're starting to run into some issues with the kerberos token size of some users being too big. We're trying to decide which route to go in - the increase token size route or the reduce group membership route (or some combination). I was wondering if someone could answer a few questions I had, or perhaps point me to any good articles explaining the subject more in-depth. 1.) Why did MS originally set the token size limit to 12K? 2.) Why wasn't it increased in later editions of Windows and Windows Server? 3.) What are the side effects of changing the limit to 64? 4.) Are there any security or performace-related problems we would encounter if we started to increase the size on a mass scale? 5.) Lastly, most of the users having problems are users that were migrated from another domain. I have read that those accounts bring with them "SID history" which can exacerbate the problem with token size. Is there any way to remedy this situation to remove the SID history? We currently still have a trust between our domain and the old domain - would breaking that trust help any? Thanks in advance

Bump... I don't really need every question answered - mostly I'd like to know the downsides to increasing the token size.

Nevermind... thanks anyway...

Tim,We have some similar issues here at my company. I asked our DSE (Dedicated Support Engineer) and his response was this: There aren’t any issues with doing this that I am aware of. We see the Registry change allowing people to connect that could not before rather than creating problems in and of itself. The size of the tokens doesn’t change for those users that weren’t hitting the wall already, so those servers that are showing the problem will be more accommodating to the users with large tokens and the other users will be unaffected. Hopefully this is a minority of the user community. The side effects of doing the Registry change relates primarily to the overall size of the amount of memory allocated for user tokens in Paged Pool. On a workstation this is probably a non-issue. On a busy server of the 32-bit variety those users with large tokens will need additional memory allocated to hold those tokens. If a large number of users now has a larger memory allocation then 32-bit boxes might be stressed in a way they haven’t been before and may support fewer users. This is separate from the Kerberos token size. The workaround for one problem may set you up to see the other. Andy Franklin