Tag Archives: Groups

Check for potential token size issues

10 Replies

If a user is a member of too many groups they might run into authentication problems. Those problems are related to their kerberos token size.
An article describing this and potential workarounds/fixes are available at: http://support.microsoft.com/kb/327825.

I wanted an easy way to check what token size a user might have, so I created an advanced function for this.

It supports pipelining of the identity, you can specify a server (domain or domain controller) if you want to, and it will return the estimated token size of that user and some information on how many groups the user is a member of (including nested groups).

It uses a ldap filter to find all the groups (LDAP_MATCHING_RULE_IN_CHAIN). The “builtin” groups like Domain Users etc. are excluded when using this method, and obviously any local groups on a server, but it should be accurate enough to check if the user might have token size issues.

A usage example:

PS> Get-ADUser -Filter { DisplayName -eq 'Anders Wahlqvist' } | Get-ADTokenSize

DistinguishedName : CN=Anders Wahlqvist,OU=Users,DC=Domain,DC=com
EstimatedTokenSize : 1992
GlobalGroups : 55
UniversalGroups : 44
DomainLocalGroups : 0
GroupsWithSidHistory : 0
AllGroups : 99

The code is available here.

Is this AD group still used?

Leave a reply

That’s a pretty hard question to answer, and it depends on how the group is used.

But one way of verifying this is to check when any of it’s members logged on last time. There is an obvious risk that the group is not used for anything in particular but it still might have users/computers in it, but it might give you a hint.

I therefor wrote an advanced function that can help you with this.

It’s pretty straight forward to use, just write:

Get-ADGroupLastUsed -Identity "Domain Admins" -Recursive

The “Recursive”-switch makes it resolve the members in all child groups. It works for both user and computer objects.

This can be pretty useful in certain scenarios, and I hope it might be of use for you too!

The code is available at this link.

Get local groups and their members with PowerShell

Leave a reply

The Active Directory Module for PowerShell is great. You can do almost anything with it, but every now and then you might need to list the local groups and their members on a server/client, and that is harder…

To achieve this I wrote a couple of advanced functions to simplify the task. “Get-LocalGroup” and “Get-LocalGroupMember”.

The usage should be pretty simple, but to give you an idea:

PS H:\> Get-LocalGroup

ComputerName GroupName                                   SID
------------ ---------                                   ---
MyMachine    Administrators                              S-1-5-32-544
MyMachine    Backup Operators                            S-1-5-32-551
MyMachine    Cryptographic Operators                     S-1-5-32-569
MyMachine    Distributed COM Users                       S-1-5-32-562
MyMachine    Event Log Readers                           S-1-5-32-573
MyMachine    Guests                                      S-1-5-32-546
MyMachine    IIS_IUSRS                                   S-1-5-32-568
MyMachine    Network Configuration Operators             S-1-5-32-556
MyMachine    Performance Log Users                       S-1-5-32-559
MyMachine    Performance Monitor Users                   S-1-5-32-558
MyMachine    Power Users                                 S-1-5-32-547
MyMachine    Remote Desktop Users                        S-1-5-32-555
MyMachine    Replicator                                  S-1-5-32-552
MyMachine    Users                                       S-1-5-32-545


PS H:\> Get-LocalGroup | where GroupName -eq Administrators | Get-LocalGroupMember

Domain    GroupName      Type  Name
------    ---------      ----  ----
MyMachine Administrators User  Administrator
MyDomain  Administrators Group Domain Admins
MyDomain  Administrators Group TheAdmins

The code is available here.