In any Microsoft Active Directory forest, a user can only a member of 1024 groups but after allowing for up to 9 well known SIDS this number is actually 1015.
See KB http://support.microsoft.com/kb/328889
If a user exceeds the hard limit of 1015 group memberships they probably will not be able to logon.
- What do you do to rectify the issue?
- How do you find out what changed and caused a tipping point?
A quick visual method to see a user’s nested group memberships expanded, is to run the command:
dsget user “CN=Mark Parris,OU=Administration,DC=clickclicknext,DC=com” -memberof -expand
If this command returns a short list of groups then the membership of too many groups is probably not an issue, but if the command returns a scrolling list of group memberships then we need to utilise NTDSUTIL. NTDSUTIL has within it a command that you may not even know is there, unless you have this specific issue.
The command is group membership evaluation
At an elevated command prompt.
group membership evaluation
set account DC nameOfDC
set global catalog nameOfDC
set resource dc nameOfDC
run clickclicknext.com mark.parris
clickclicknext.com is the fqdn of your domain and mark.parris is the username.
The output of this command is a .tsv file and will be found in the path of the prompt (run it from C:\Temp it will be in C:\Temp), this file can be renamed to a .csv.
The report produces a lot of interesting information in a tabular format.
The report will have these column headings.
SID in token
SID History Count
Active Directory Domain Controller Queried
Group Owner SID
Member WhenChanged (UTC)
GroupType WhenChanged (UTC)
One Level MemberOf Count
Total MemberOf Count
Depth From User
Closest Parent OU
From the column heading, there are specific columns with timestamps, if these are then sorted upon, it will tell you what group or groups were modified most recently, these changes then need to be understood and reversed or perhaps other legacy group memberships identified and removed.
As I review and update my old consulting notes I have decided to publishing them.
These are by no means definitive and are intended as an ‘aide memoire’.
Associated Post: MaxTokenSize – Change of recommendation from Microsoft