If a user is a member of too many groups they might run into authentication problems. Those problems are related to their kerberos token size.
An article describing this and potential workarounds/fixes are available at: http://support.microsoft.com/kb/327825.
I wanted an easy way to check what token size a user might have, so I created an advanced function for this.
It supports pipelining of the identity, you can specify a server (domain or domain controller) if you want to, and it will return the estimated token size of that user and some information on how many groups the user is a member of (including nested groups).
It uses a ldap filter to find all the groups (LDAP_MATCHING_RULE_IN_CHAIN). The “builtin” groups like Domain Users etc. are excluded when using this method, and obviously any local groups on a server, but it should be accurate enough to check if the user might have token size issues.
A usage example:
PS> Get-ADUser -Filter { DisplayName -eq 'Anders Wahlqvist' } | Get-ADTokenSize
DistinguishedName : CN=Anders Wahlqvist,OU=Users,DC=Domain,DC=com
EstimatedTokenSize : 1992
GlobalGroups : 55
UniversalGroups : 44
DomainLocalGroups : 0
GroupsWithSidHistory : 0
AllGroups : 99
The code is available here.
Don’t know if you are still working with this script but I am definitely not doing something correctly. I have downloaded it and added a .ps1 extension and nothing seems to happen.
Is this a function I need to import? I read something about that but I don’t know what extension to add to the file. (old time windows admin, new to powershell. Hard to guess ,right?)
Thanks for your help,
Lee
Hi Lee,
You can either save it as a .psm1-file (.ps1 works aswell though), and the import it using:
Import-Module C:\Path\File.psm1
Or just paste the code into an open powershell prompt. When you’ve done this, you call the function using:
Get-ADTokenSize -Identity SamAccountName
You can also pipe the users you want to check with:
Get-ADUser -Filter { GivenName -eq “John” } | Get-ADTokenSize
You will need to install the ActiveDirectory-module for this to work though, if you run PowerShell 3 or newer it will load automatically, otherwise just run (before running the Get-ADTokenSize function):
Import-Module ActiveDirectory
Don’t hesitate to get back to me if you need further assistance!
never heard about the command Get-ADTokenSize, nor it works.
The command is published with this blog post, did you first load it into your PowerShell console? What error did you get? (It does also require the ActiveDirectory module from Microsoft to be available for it it to work)
Script works as expected. Excellent work! Thx.
This is what worked for me:
Pasted the code into an open powershell prompt. When you’ve done this, you call the function using:
Get-ADTokenSize -Identity SamAccountName
Glad it worked!
this script is working, only i update the part of the ldap query
this is very slow, because for every user all the groups in the domain are queried for the user.
by 25000 users this take forever and crash every time
the groupmembership is already known by
get-aduser -properties memberof, so the ldap is not needed
the rest must be done with a foerach loop to export to an xls sheet
otherwise it crashes at powershell buffer.
Hi Johan,
Thanks for commenting! Unless I misunderstood something, that’s not really the same thing though since that only gives you one level of group memberships. So unless you never have nested groups in your AD you’re not going to get correct results.
Regarding avoiding crashing, I’m guessing you’re trying to collect all users in a pipeline and store the results in an array, this is known to be very memory intensive. You could instead export each user to a csv or similar at the end of the pipeline to avoid the issue. It will still be slow, but save you a ton of memory.
Hope that makes sense, otherwise feel free the get back to me!
how do you interpret the results concerning too many groups membership ?
How do I know if a user has too many groups ?
Have a look in the linked article. It depends a little bit on the implementation and type of application, and OS version 🙂