Check for potential token size issues

If a user is a member of too many groups they might run into authentication problems. Those problems are related to their kerberos token size.
An article describing this and potential workarounds/fixes are available at: http://support.microsoft.com/kb/327825.

I wanted an easy way to check what token size a user might have, so I created an advanced function for this.

It supports pipelining of the identity, you can specify a server (domain or domain controller) if you want to, and it will return the estimated token size of that user and some information on how many groups the user is a member of (including nested groups).

It uses a ldap filter to find all the groups (LDAP_MATCHING_RULE_IN_CHAIN). The “builtin” groups like Domain Users etc. are excluded when using this method, and obviously any local groups on a server, but it should be accurate enough to check if the user might have token size issues.

A usage example:

PS> Get-ADUser -Filter { DisplayName -eq 'Anders Wahlqvist' } | Get-ADTokenSize

DistinguishedName : CN=Anders Wahlqvist,OU=Users,DC=Domain,DC=com
EstimatedTokenSize : 1992
GlobalGroups : 55
UniversalGroups : 44
DomainLocalGroups : 0
GroupsWithSidHistory : 0
AllGroups : 99

The code is available here.

10 thoughts on “Check for potential token size issues

  1. Lee philips

    Don’t know if you are still working with this script but I am definitely not doing something correctly. I have downloaded it and added a .ps1 extension and nothing seems to happen.
    Is this a function I need to import? I read something about that but I don’t know what extension to add to the file. (old time windows admin, new to powershell. Hard to guess ,right?)

    Thanks for your help,
    Lee

    Reply
    1. Anders Post author

      Hi Lee,
      You can either save it as a .psm1-file (.ps1 works aswell though), and the import it using:
      Import-Module C:\Path\File.psm1

      Or just paste the code into an open powershell prompt. When you’ve done this, you call the function using:
      Get-ADTokenSize -Identity SamAccountName

      You can also pipe the users you want to check with:
      Get-ADUser -Filter { GivenName -eq “John” } | Get-ADTokenSize

      You will need to install the ActiveDirectory-module for this to work though, if you run PowerShell 3 or newer it will load automatically, otherwise just run (before running the Get-ADTokenSize function):
      Import-Module ActiveDirectory

      Don’t hesitate to get back to me if you need further assistance!

      Reply
    1. Anders Post author

      The command is published with this blog post, did you first load it into your PowerShell console? What error did you get? (It does also require the ActiveDirectory module from Microsoft to be available for it it to work)

      Reply
  2. PowershellUser

    Script works as expected. Excellent work! Thx.

    This is what worked for me:

    Pasted the code into an open powershell prompt. When you’ve done this, you call the function using:
    Get-ADTokenSize -Identity SamAccountName

    Reply
  3. Johan van Dok

    this script is working, only i update the part of the ldap query
    this is very slow, because for every user all the groups in the domain are queried for the user.
    by 25000 users this take forever and crash every time

    the groupmembership is already known by
    get-aduser -properties memberof, so the ldap is not needed

    the rest must be done with a foerach loop to export to an xls sheet
    otherwise it crashes at powershell buffer.

    Reply
    1. Anders Post author

      Hi Johan,
      Thanks for commenting! Unless I misunderstood something, that’s not really the same thing though since that only gives you one level of group memberships. So unless you never have nested groups in your AD you’re not going to get correct results.

      Regarding avoiding crashing, I’m guessing you’re trying to collect all users in a pipeline and store the results in an array, this is known to be very memory intensive. You could instead export each user to a csv or similar at the end of the pipeline to avoid the issue. It will still be slow, but save you a ton of memory.

      Hope that makes sense, otherwise feel free the get back to me!

      Reply
  4. tien lam nguyen

    how do you interpret the results concerning too many groups membership ?

    How do I know if a user has too many groups ?

    Reply
    1. Anders Post author

      Have a look in the linked article. It depends a little bit on the implementation and type of application, and OS version 🙂

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.