Windows Server

In any Microsoft Active Directory forest, a user can only a member of 1024 groups but after allowing for up to 9 well known SIDS this number is actually 1015.
See KB http://support.microsoft.com/kb/328889

If a user exceeds the hard limit of 1015 group memberships they probably will not be able to logon.

  • What do you do to rectify the issue?
  • How do you find out what changed and caused a tipping point?

A quick visual method to see a user’s nested group memberships expanded, is to run the command:

dsget user “CN=Mark Parris,OU=Administration,DC=clickclicknext,DC=com” -memberof -expand

If this command returns a short list of groups then the membership of too many groups is probably not an issue, but if the command returns a scrolling list of group memberships then we need to utilise NTDSUTIL. NTDSUTIL has within it a command that you may not even know is there, unless you have this specific issue.

The command is group membership evaluation

At an elevated command prompt.

Type

ntdsutil

group membership evaluation

set account DC nameOfDC

set global catalog nameOfDC

set resource dc nameOfDC

run clickclicknext.com mark.parris

clickclicknext.com is the fqdn of your domain and mark.parris is the username.

The output of this command is a .tsv file and will be found in the path of the prompt (run it from C:\Temp it will be in C:\Temp), this file can be renamed to a .csv.
The report produces a lot of interesting information in a tabular format.

The report will have these column headings.

SID in token
SID type
SID History Count
Distinguished Name
SamAccountName
Active Directory Domain Controller Queried
Group Owner
Group Owner SID
WhenCreated (UTC)
WhenChanged (UTC)
Member WhenChanged (UTC)
GroupType WhenChanged (UTC)
One Level MemberOf Count
Total MemberOf Count
Group Type
Depth From User
Closest Parent OU

From the column heading, there are specific columns with timestamps, if these are then sorted upon, it will tell you what group or groups were modified most recently, these changes then need to be understood and reversed or perhaps other legacy group memberships identified and removed.

2014-07-31_17-41-38

 

As I review and update my old consulting notes I have decided to publishing them.
These are by no means definitive and are intended as an ‘aide memoire’.

Comments welcome.

Associated Post: MaxTokenSize – Change of recommendation from Microsoft

 

 

 

 

Microsoft have stated for numerous years that anyone with Kerberos authentication issues often due to users being in multiple groups and commonly known as Token Bloat should increase the MaxTokenSize to 65535 bytes.

Whilst reading Understand and Troubleshoot Dynamic Access Control in Windows Server 2012 guide, I read that

“Previous versions of Windows had a default maximize token size of 12k.  However, this value remained too low for many environments and required reconfiguring each computer in the enterprise.  Windows Server 2012 and Windows 8 increase the default maximum token size to 48k.  This new value is the maximum viable size for SSPI tokens in Windows and may require additional settings changes for applications to support. For example, HTTP settings are required for SSPI tokens over 12K.”

But this article How to use Group Policy to add the MaxTokenSize registry entry to multiple computers also stated the 48K maximum and with a similar reasoning.

“The maximum allowed value of MaxTokenSize is 65535 bytes. However, because of HTTP’s base64 encoding of authentication context tokens, we do not recommend that you set the maxTokenSize registry entry to a value larger than 48000 bytes. Starting with Windows Server 2012, the default value of the MaxTokenSize registry entry is 48000 bytes”.

This lead me to do a little further research as Microsoft stated in the article Active Directory Maximum Limits – Scalability that the “maximum recommended size for a Kerberos ticket is 65,535 bytes”

image

Getting nowhere fast, I had an email exchange with the Active Directory Documentation team, it was confirmed that this value should now be set to 48K

The Active Directory Maximum Limits – Scalability website should be updated soon (approx. 09/05/2013) to confirm this.

The question now to ask though is – I have set the MaxTokenSIze to 65535 bytes, should I now change it to 48000 bytes?

So I asked the question:-

“What happens to people who have set the key to 65535? Should they test and change it to 48000 now?  Will Windows Server 2012 break? Will things fail as a result of having it set to the maximum?”

The response:-

Kerberos itself doesn’t really understand the concept of a token size because what it transports is opaque to the protocol. 

Applications, however, are different and can implement their own constraints such as buffer size.  Applications ask SSPI (Kerberos) for the size of the authorization buffer of the authenticating user.  If the size reported back is greater than the buffer allocated by the application, authentication fails.  The size reported back is the actual size not the maximum size.  Therefore, with MaxToken set to 65k and authorization data amounting to 12k; Windows will only report back 12k.  MaxTokenSize simply limits the maximum value the SSPI can return to an application.  Prior to Windows 8/2012 , most environments would set MaxTokenSize to the maximum because it was nearly impossible to determine a user’s true token size.  Therefore, if you set it to the max, and still had an authentication problem it was not because of MaxTokenSize ( at which point engineers would instruct customers to return the setting to the prior value).

With MaxTokenSize defaulting to the max Authentication buffer size for IIS; there shouldn’t be a authentication  problem resulting from token size.  Http caps out at 48k.  Making it higher won’t fix the authentication issue. So it there is no gain people nothing by increasing it.

While the setting in the documentation should mostly be harmless; we should suggest 48k as the ideal setting for MaxTokenSize and point to the Group Policy setting in Windows Server 2012/Windows 8 as the means which to modify it.

http://blogs.technet.com/b/askds/archive/2012/09/12/maxtokensize-and-windows-8-and-windows-server-2012.aspx

and now we know.

I have previously written about this, but feel it’s worthy of another mention.  Microsoft have hidden away on their WHDC (Windows Hardware Developer Central) website, an excellent document on Performance Tuning Guidelines for Windows Server 2008 R2.  It is worthy of a read as it details lots of changes in functionality that can affect performance.

The paper was last updated on the May 16th 2011 and details:

Choosing and Tuning Server Hardware
Performance Tuning for the Networking Subsystem
Performance Tuning for the Storage Subsystem
Performance Tuning for Web Servers
Performance Tuning for File Servers
Performance Tuning for Active Directory Servers
Performance Tuning for Remote Desktop Session Host (formerly Terminal Server)Performance Tuning for Remote Desktop Gateway
Performance Tuning for Virtualization Servers
Performance Tuning for File Server Workload (NetBench)
Performance Tuning for File Server Workload (SPECsfs2008)
Performance Tuning for Network Workload (NTttcp)
Performance Tuning for Remote Desktop Services Knowledge Worker Workload
Performance Tuning for SAP Sales and Distribution Two-Tier Workload
Performance Tuning for TCP-E Workload

October 2012 Update: 

Updated Server Core Installation Option, Correct Memory Sizing for Child Partitions, and Correct Memory Sizing for Root Partition.

September 2012 Update:

Further updates to the Performance Tuning guidance for the TPC-E Workload section

May 2011 Update:

“Performance Tuning for Web Servers” – Updated guidance to reflect that Http.sys manages connections automatically.

“Performance Tuning for File Servers” – Fixed typos in NFS Server tuning parameter registry keys.

“Performance Tuning for Virtualization Servers” – Added information about Dynamic Memory tuning.

“Performance Tuning for TPC-E Workload” – Clarified tuning guidance.

“Resources” – Updated references.

October 15th Update:

Throughout the paper – Clarified some explanations; clarified energy consumption vs. power consumption.

“Interrupt Affinity” – Added recommendation to use device-specific mechanism for binding interrupts, if supported by the driver model.

“Network-Related Performance Counters” – Added IPv6 and TCPv6.

“Performance Tuning for the Storage Subsystem” – Various minor updates throughout.

“Performance Tuning for File Servers” –Added guidance for NtfsDisableLastAccessUpdate; added “Tuning Parameters for NFS Server”, “File Server Tuning Example”, and “File Client Tuning Example”.

“Performance Tuning for Remote Desktop Session Host” – Added references to two new white papers on capacity planning.

“Monitoring and Data Collection” (multiple sections) – Updated the list of counters to monitor.

“Performance Tuning for File Server Workload (SPECsfs2008)” – New section.

“Performance Tuning for SAP Sales and Distribution Two-Tier Workload” – Substantial updates to the whole section.

“Performance Tuning for TPC-E Workload” – New section.

“Resources” – A few additions and updates.

 

If you are looking to understand what the security policies in Windows 7 and 2008 R2 mean and how they can impact your environment, then this guide is a must read.

Threats and Countermeasures Guide: Security Settings in Windows 7 and Windows Server 2008 R2

The document is covers the following categories in some depth:

Account Policies

This section discusses the Group Policy settings that are applied at the domain level: password policies, account lockout policies, and Kerberos protocol authentication policies.

Advanced Security Audit Policy

This section discusses the use of advanced audit policy settings, which are now integrated with Group Policy to monitor and enforce your security measures. It describes the various settings, and it provides examples of how audit information is modified when the settings are changed.

User Rights

This section discusses the various logon rights and privileges that are provided by the Windows 7 and Windows Server 2008 R2 operating systems, and it provides guidance about which accounts should be assigned these rights.

Security Options

This section provides guidance about security settings for digital data signatures, Administrator and Guest account names, drive access, driver installation behaviour, and logon prompts.

Event Log

This section provides guidance about how to configure the settings that relate to the various event logs on computers running Windows Server 2008 R2 or Windows 7.

System Services

Windows Server 2008 R2 and Windows 7 include a variety of system services. Many of these services are configured to run by default, but others are not present unless you install specific components. This section describes the various services included with the operating systems so that you can best decide which ones to leave enabled and which ones can be safely disabled.

Software Restriction Policies

This section provides a brief overview of the Software Restriction Policy feature that is available in Windows Server 2008 R2 and Windows 7. It provides links to additional resources about how to design and use policy settings to control which applications can be used in your organization.

Application Control Policies

This section provides a brief overview of the AppLocker™ feature that is available in Windows Server 2008 R2 and Windows 7. It provides links to additional resources about how to design and use policy settings to control which applications can be used in your organization.

External Storage Devices

This section describes Group Policy settings that can be used to limit, prevent, or allow the use of external storage devices in networked computers.

Additional Resources

This section provides links to additional information sources about Windows security topics from Microsoft that you may find useful.

Threats and Countermeasures Guide: Security Settings in Windows 7 and Windows Server 2008 R2

After installing Service Pack 1 on Windows 7 or Windows Server 2008 R2, by default you have the ability to uninstall the Service Pack and rollback to the previous state. If you are confident that you do not need to rollback the service pack at a later date. The installation can be made final by running DISM /online /cleanup-Image /spsuperseded on average this has reclaimed for me over 2GB per server, not that much space these days but if you have for some reason VM’s running like this, these 2GB’s can add up to a lot of space.

Microsoft have just released this interesting KB article on large sector drive support in various versions of Windows.

Over the next few years, the data storage industry will be transitioning the physical format of hard disk drives from 512-byte sectors to 4096-byte sectors (also known as 4K sectors). This transition is driven by several factors, including increases in storage density and reliability.  

Specific requirements for Microsoft support by OS version

Windows Vista and Windows Server 2008:

  • Install the hotfix from the following Microsoft Knowledge Base (KB) article:
    2470478  (http://support.microsoft.com/kb/2470478/ ) Applications that are built on ESENT and that run on a Windows Vista-based or Windows Server 2008-based computer may not work correctly after the reported physical sector size of the storage device changes
  • Make sure that the drivers and firmware for your storage controller and for your other hardware components are updated. Also make sure that they support large sector drives.

Windows 7 and Windows Server 2008 R2:

  • Install Service Pack 1 (SP1), or install the update from the following KB article:
    982018  (http://support.microsoft.com/kb/982018/ ) An update that improves the compatibility of Windows 7 and Windows Server 2008 R2 with Advanced Format Disks is available
  • Make sure that the drivers and firmware for your storage controller and other hardware components are updated. Also make sure that they support large sector drives.
  • Use the updated Windows Preinstallation Environment (Windows PE) for SP1 that will be released as part of the updated pieces of the SP1 Windows Automated Installation Kit (AIK) and of the Windows OEM Preinstallation Kit (OPK). Or, embed update 982018 into Windows PE.

Windows Server 2003 and Windows XP:

Any large sector disks, such as Advanced Format drives, are not supported by Microsoft for installation on systems that are running Windows Server 2003, Windows Server 2003 R2, or Windows XP.

The full KB article is here.