I have some doubts about the max group SID’s in a token and the domain local group SID's in a token. Scenario: User is member of 300 global groups. Those global groups are member of DL groups so we have in total 900 transitive domain local groups used for access to resources. Token max size is changed from default to maximum. With the domain logon the token of the user contains 300 groups while domain local groups are not included yet. So we are not passing the maximum of 1015 and logon is successful. The user connects to a resource computer and by impersonation a new token is generated based on the original. This one includes also the (transitive) domain local groups of the domain to which the computer that we are accessing to belongs. Now this will be more than 1015 so token generation will fail. However domain local goups of domains where the computer is not a member of, will not be added. If the statement above is correct, I would suggest the following solution: Divide the resources between more domains, so there will be less domain local groups in a domain. So if we want to access resources in domain A, only the DL groups of A are added. Other resources could be in domain B. That would mean that implementing a Role Based Access Control (which implies sometimes lots of DL groups) would influence a Domain structure design. So my question is: am I wrong here? I have been trying to do some serious investigation about this topic while RBAC and using the A DL G P principle in big organizations will run into the max SID in a token.

Hello, Thank you for your question. I am currently looking into this problem and will give you an update as soon as possible. Thank you for your understanding. Regards, BruceThis posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

hello, there is a HARD built in limit of 1025 user groups on an Access Token. It means that windows cannot enable you access either locally or when you access that computer over network if the resulting list of user groups (all domain and local and the system groups such as INTERACTIVE, EVERYONE etc.) would contain more than 1025. this limit cannot be modified anywhere. there is also another DEFAULT limit of 8 kB (windows 2000) or 12 kB (windows xp,2003 and newer) for Kerberos tickets that can be transported over network. As global groups (and universal from your account domain) take 8 Bytes and domain local groups (and all other domain's universals) take 40 Bytes in the ticket, you are right that it would be about 300 domain local groups while about 1000 global groups. so with this DEFAULT limit, you are somewhere between 300 and 1000 groups according to the extent of their scope mixture. This Kerberos transport limit can be changed in registry and must be changed on all affected computers (also not that HTTP.SYS has its own limit on HTTP headers that would need to be adjusted as well on web servers). You need to have this problem in mind when you design group strategy. You can decrease the number of groups for a computer account also by using local groups only for some resources. The local groups will count only to the access token limit of 1025 groups on the particular computer. ADLGP is a good principle, but needs to be taken sensibly. Also consider that most users will not need to have access to all of your hundreds of shares. ondrej.

basically, I wouldn't change my domain design if I am running out of the groups. I would rather change my group strategy. It is alwyas best to have only a single domain forest. ondrej.