Microsoft: Maximum number of groupmemberships for users (MaxTokenSize)

Today on of my colleagues was telling me about a Windows 7 deployment that was configured trough GPP but he noticed that not all the GPP settings where set somehow. He found a quick fix by removing the user from all the groups he was nested in, log the user in and add the user to all the groups again. When I heard this problem I knew I had seen this before in an environment with users in +200 nested groups in Windows 2008 R2. So I told him it could be the MaxTokenSize that has to be set to a proper value, Microsoft has an KB article to do so.

INTRODUCTION

On a domain controller that is running Windows 2000, Windows Server 2003, Windows Server 2008 or Windows Server 2008 R2, you can use Group Policy to add the following registry entry to multiple computers:

Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters

Entry: MaxTokenSize
Data type: REG_DWORD
Value: 65535

This article describes how to do this, so you can push this setting to all members of your domains easily.

MORE INFORMATION

To use Group Policy to add the registry entry to multiple computers, follow these steps:

 Start Notepad.

Copy the following text, and then paste the text into Notepad.

 

        CLASS MACHINE

            CATEGORY !!KERB

                KEYNAME “SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters”

                POLICY !!MaxToken

                     VALUENAME “MaxTokenSize”

                         VALUEON NUMERIC 65535

                         VALUEOFF NUMERIC 0

                END POLICY

END CATEGORY

[strings]

KERB=”Kerberos Maximum Token Size”

MaxToken=”Kerberos MaxTokenSize”

  •  Save the Notepad document as MaxTokenSize.adm in the %windir%\Inf\ folder on the domain controller.
  •  Exit Notepad.
  •  Create a new Group Policy object (GPO) that is linked at the domain level or that is linked to the organizational unit (OU).

Note The OU contains the computers to which you want to add the registry entry.

  •  Open Group Policy Object Editor. To do this, click Start, click Run, type gpedit.msc, and then click OK.
  •  In the console tree, expand Computer Configuration, expand Administrative Templates, and then click Administrative Templates.
  •  On the Action menu, point to All Tasks, and then click Add/Remove Templates.
  •  Click Add.
  •  Click to select the MaxTokenSize.adm file that you created in step 3, and then click Open.
  •  Click Close.
  •  On a Windows 2000-based domain controller, click to clear Show Policies Only on the Viewmenu.
  •  On a Windows Server 2003-based domain controller, follow these steps:
  •  On the View menu, click Filtering.
  •  Click to clear the Only show policy settings that can be fully managed check box, and then click OK.

In Windows Server 2008 domains and in Windows Server 2008 R2 domains, you can do this by modifying an existing Group Policy Object (GPO) or by creating a new GPO. Make sure that the GPO is linked to the correct portion of your Active Directory hierarchy so that the GPO applies to the computer accounts of the computers that you want to modify. To create the MaxTokenSize value setting in a GPO, follow these steps:

  •  Open the Group Policy Management Console (Gpmc.msc). To do this, click Start, click Run, type gpmsc.msc, and then click OK.
  •  In the Group Policy Management Console, right-click a Group Policy object, and then click Edit to open the Group Policy Management Editor window.
  •  Expand Computer Configuration, expand Preferences, and then expand Windows Settings.
  •  Right-click Registry, point to New, and then click Registry Item. The New Registry Properties dialog box appears.
  •  In the Action list, click Create.
  •  In the Hive list, click HKEY_LOCAL_MACHINE.
  •  In the Key Path list, click SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters.
  •  In the Value name box, type MaxTokenSize.
  •  In the Value type box, click to select the REG_DWORD check box.
  •  In the Value data box, type 65535.
  •  Next to Base, click to select the Decimal check box.
  •  Click OK.

 

After setting this value via GPP he couldn’t reproduce this problem anymore.

The following two tabs change content below.

Kees Baggerman

Kees Baggerman is a Staff Solutions Architect for End User Computing at Nutanix. Kees has driven numerous Microsoft and Citrix, and RES infrastructures functional/technical designs, migrations, implementations engagements over the years.

One comment

  1. GPO says:

    Current recommendation is to go not higher than 48.000 for this value.

Leave a Reply