Check for potential token size issues

If a user is a member of too many groups they might run into authentication problems. Those problems are related to their kerberos token size.
An article describing this and potential workarounds/fixes are available at: http://support.microsoft.com/kb/327825.

I wanted an easy way to check what token size a user might have, so I created an advanced function for this.

It supports pipelining of the identity, you can specify a server (domain or domain controller) if you want to, and it will return the estimated token size of that user and some information on how many groups the user is a member of (including nested groups).

It uses a ldap filter to find all the groups (LDAP_MATCHING_RULE_IN_CHAIN). The “builtin” groups like Domain Users etc. are excluded when using this method, and obviously any local groups on a server, but it should be accurate enough to check if the user might have token size issues.

A usage example:

PS> Get-ADUser -Filter { DisplayName -eq 'Anders Wahlqvist' } | Get-ADTokenSize

DistinguishedName : CN=Anders Wahlqvist,OU=Users,DC=Domain,DC=com
EstimatedTokenSize : 1992
GlobalGroups : 55
UniversalGroups : 44
DomainLocalGroups : 0
GroupsWithSidHistory : 0
AllGroups : 99

The code is available here.

6 thoughts on “Check for potential token size issues

  1. Lee philips

    Don’t know if you are still working with this script but I am definitely not doing something correctly. I have downloaded it and added a .ps1 extension and nothing seems to happen.
    Is this a function I need to import? I read something about that but I don’t know what extension to add to the file. (old time windows admin, new to powershell. Hard to guess ,right?)

    Thanks for your help,
    Lee

    Reply
    1. Anders Post author

      Hi Lee,
      You can either save it as a .psm1-file (.ps1 works aswell though), and the import it using:
      Import-Module C:\Path\File.psm1

      Or just paste the code into an open powershell prompt. When you’ve done this, you call the function using:
      Get-ADTokenSize -Identity SamAccountName

      You can also pipe the users you want to check with:
      Get-ADUser -Filter { GivenName -eq “John” } | Get-ADTokenSize

      You will need to install the ActiveDirectory-module for this to work though, if you run PowerShell 3 or newer it will load automatically, otherwise just run (before running the Get-ADTokenSize function):
      Import-Module ActiveDirectory

      Don’t hesitate to get back to me if you need further assistance!

      Reply
    1. Anders Post author

      The command is published with this blog post, did you first load it into your PowerShell console? What error did you get? (It does also require the ActiveDirectory module from Microsoft to be available for it it to work)

      Reply
  2. PowershellUser

    Script works as expected. Excellent work! Thx.

    This is what worked for me:

    Pasted the code into an open powershell prompt. When you’ve done this, you call the function using:
    Get-ADTokenSize -Identity SamAccountName

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *