Monthly Archives: September 2014

Check for potential token size issues

If a user is a member of too many groups they might run into authentication problems. Those problems are related to their kerberos token size.
An article describing this and potential workarounds/fixes are available at: http://support.microsoft.com/kb/327825.

I wanted an easy way to check what token size a user might have, so I created an advanced function for this.

It supports pipelining of the identity, you can specify a server (domain or domain controller) if you want to, and it will return the estimated token size of that user and some information on how many groups the user is a member of (including nested groups).

It uses a ldap filter to find all the groups (LDAP_MATCHING_RULE_IN_CHAIN). The “builtin” groups like Domain Users etc. are excluded when using this method, and obviously any local groups on a server, but it should be accurate enough to check if the user might have token size issues.

A usage example:

PS> Get-ADUser -Filter { DisplayName -eq 'Anders Wahlqvist' } | Get-ADTokenSize

DistinguishedName : CN=Anders Wahlqvist,OU=Users,DC=Domain,DC=com
EstimatedTokenSize : 1992
GlobalGroups : 55
UniversalGroups : 44
DomainLocalGroups : 0
GroupsWithSidHistory : 0
AllGroups : 99

The code is available here.