Kerberos MaxTokenSize value

Posted on March 23rd, 2009

Windows enumerates the groups the users is a member of to determine which Group Policies to apply. If the user is a member of too many groups (from testing around 165), this enumeration fails and no group policy is applied.

The default setting on Windows 2003 x64 servers is 12000 for the Kerberos MaxTokenSize entry. This is not enough for large environments.

Changing this entry to the maximum available (65535) resolves the issue and enables all the user groups to be enumerated and the correct group policies applied.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters]
“MaxTokenSize”=dword:0000ffff

The server will need a reboot.

Tags: group policy, Kerberos, maxtokensize
Filed under Windows 2003 |

2 Responses to “Kerberos MaxTokenSize value”

1. RP Says:
   March 24th, 2009 at 12:23 pm

   If a RSOP gives and invalid namespace error after this, you may also need to rebuild the MOF:

   from the following folder:
   c:\program files\citrix\system32\citrix\wmi

   for /f %s in (‘dir /b *.mof *.mfl’)do mofcomp %s

2. RP Says:
   March 24th, 2009 at 12:26 pm

   for /f %s in (‘dir /b *.mof *.mfl’)do mofcomp %s”

   as seen here

Leave a Reply

Name (required)

Mail (will not be published) (required)

Website

CAPTCHA Code *