{"id":3451,"date":"2014-09-20T15:57:21","date_gmt":"2014-09-20T13:57:21","guid":{"rendered":"http:\/\/dollarunderscore.azurewebsites.net\/?p=3451"},"modified":"2017-06-05T21:37:08","modified_gmt":"2017-06-05T19:37:08","slug":"check-for-potential-token-size-issues","status":"publish","type":"post","link":"https:\/\/p0wershell.com\/?p=3451","title":{"rendered":"Check for potential token size issues"},"content":{"rendered":"

If a user is a member of too many groups they might run into authentication problems. Those problems are related to their kerberos token size.
\nAn article describing this and potential workarounds\/fixes are available at: http:\/\/support.microsoft.com\/kb\/327825<\/a>.<\/p>\n

I wanted an easy way to check what token size a user might have, so I created an advanced function for this.<\/p>\n

It supports pipelining of the identity, you can specify a server (domain or domain controller) if you want to, and it will return the estimated token size of that user and some information on how many groups the user is a member of (including nested groups).<\/p>\n

It uses a ldap filter to find all the groups (LDAP_MATCHING_RULE_IN_CHAIN<\/a>). The “builtin” groups like Domain Users etc. are excluded when using this method, and obviously any local groups on a server, but it should be accurate enough to check if the user might have token size issues.<\/p>\n

A usage example:
\n[PowerShell]
\nPS> Get-ADUser -Filter { DisplayName -eq ‘Anders Wahlqvist’ } | Get-ADTokenSize<\/p>\n

DistinguishedName : CN=Anders Wahlqvist,OU=Users,DC=Domain,DC=com
\nEstimatedTokenSize : 1992
\nGlobalGroups : 55
\nUniversalGroups : 44
\nDomainLocalGroups : 0
\nGroupsWithSidHistory : 0
\nAllGroups : 99<\/p>\n

[\/PowerShell]<\/p>\n

The code is available here<\/a>.<\/strong><\/em><\/p>\n","protected":false},"excerpt":{"rendered":"

If a user is a member of too many groups they might run into authentication problems. Those problems are related to their kerberos token size. An article describing this and potential workarounds\/fixes are available at: http:\/\/support.microsoft.com\/kb\/327825. I wanted an easy way to check what token size a user might have, so I created an advanced […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false}}},"categories":[831,21],"tags":[891,411,881,861,871],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p3Zj0A-TF","_links":{"self":[{"href":"https:\/\/p0wershell.com\/index.php?rest_route=\/wp\/v2\/posts\/3451"}],"collection":[{"href":"https:\/\/p0wershell.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/p0wershell.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/p0wershell.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/p0wershell.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3451"}],"version-history":[{"count":0,"href":"https:\/\/p0wershell.com\/index.php?rest_route=\/wp\/v2\/posts\/3451\/revisions"}],"wp:attachment":[{"href":"https:\/\/p0wershell.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3451"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/p0wershell.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3451"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/p0wershell.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3451"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}