Today on of my colleagues was telling me about a Windows 7 deployment that was configured trough GPP but he noticed that not all the GPP settings where set somehow. He found a quick fix by removing the user from all the groups he was nested in, log the user in and add the user to all the groups again. When I heard this problem I knew I had seen this before in an environment with users in +200 nested groups in Windows 2008 R2. So I told him it could be the MaxTokenSize that has to be set to a proper value, Microsoft has an KB article to do so.
On a domain controller that is running Windows 2000, Windows Server 2003, Windows Server 2008 or Windows Server 2008 R2, you can use Group Policy to add the following registry entry to multiple computers:
Data type: REG_DWORD
This article describes how to do this, so you can push this setting to all members of your domains easily.
To use Group Policy to add the registry entry to multiple computers, follow these steps:
Copy the following text, and then paste the text into Notepad.
VALUEON NUMERIC 65535
VALUEOFF NUMERIC 0
KERB=”Kerberos Maximum Token Size”
- Save the Notepad document as MaxTokenSize.adm in the %windir%\Inf\ folder on the domain controller.
- Exit Notepad.
- Create a new Group Policy object (GPO) that is linked at the domain level or that is linked to the organizational unit (OU).
Note The OU contains the computers to which you want to add the registry entry.
- Open Group Policy Object Editor. To do this, click Start, click Run, type gpedit.msc, and then click OK.
- In the console tree, expand Computer Configuration, expand Administrative Templates, and then click Administrative Templates.
- On the Action menu, point to All Tasks, and then click Add/Remove Templates.
- Click Add.
- Click to select the MaxTokenSize.adm file that you created in step 3, and then click Open.
- Click Close.
- On a Windows 2000-based domain controller, click to clear Show Policies Only on the Viewmenu.
- On a Windows Server 2003-based domain controller, follow these steps:
- On the View menu, click Filtering.
- Click to clear the Only show policy settings that can be fully managed check box, and then click OK.
In Windows Server 2008 domains and in Windows Server 2008 R2 domains, you can do this by modifying an existing Group Policy Object (GPO) or by creating a new GPO. Make sure that the GPO is linked to the correct portion of your Active Directory hierarchy so that the GPO applies to the computer accounts of the computers that you want to modify. To create the MaxTokenSize value setting in a GPO, follow these steps:
- Open the Group Policy Management Console (Gpmc.msc). To do this, click Start, click Run, type gpmsc.msc, and then click OK.
- In the Group Policy Management Console, right-click a Group Policy object, and then click Edit to open the Group Policy Management Editor window.
- Expand Computer Configuration, expand Preferences, and then expand Windows Settings.
- Right-click Registry, point to New, and then click Registry Item. The New Registry Properties dialog box appears.
- In the Action list, click Create.
- In the Hive list, click HKEY_LOCAL_MACHINE.
- In the Key Path list, click SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters.
- In the Value name box, type MaxTokenSize.
- In the Value type box, click to select the REG_DWORD check box.
- In the Value data box, type 65535.
- Next to Base, click to select the Decimal check box.
- Click OK.
After setting this value via GPP he couldn’t reproduce this problem anymore.
Latest posts by Kees Baggerman (see all)
- Recovering a Protection Domain snapshot to a VM - September 13, 2019
- Checking power settings on VMs using powershell - September 11, 2019
- Updated: VM Reporting Script for Nutanix with Powershell - July 3, 2019
- Updated (again!): VM Reporting Script for Nutanix AHV/vSphere with Powershell - June 17, 2019
- Updated: VM Reporting Script for Nutanix AHV with Powershell - April 8, 2019