Richard Parmiter

Virtualisation blog and Knowledge Base

  • You are here: 
  • Home
  • Kerberos MaxTokenSize value

Kerberos MaxTokenSize value

Posted on March 23rd, 2009

Windows enumerates the groups the users is a member of to determine which Group Policies to apply. If the user is a member of too many groups (from testing around 165), this enumeration fails and no group policy is applied.

The default setting on Windows 2003 x64 servers is 12000 for the Kerberos MaxTokenSize entry. This is not enough for large environments.

Changing this entry to the maximum available (65535) resolves the issue and enables all the user groups to be enumerated and the correct group policies applied.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters]
“MaxTokenSize”=dword:0000ffff

The server will need a reboot.

  • Digg
  • StumbleUpon
  • del.icio.us
  • Facebook
  • Yahoo! Buzz
  • Twitter
  • Google Bookmarks
  • Add to favorites
  • FriendFeed
  • Google Buzz
  • LinkedIn
  • Live
  • MySpace
  • Reddit
  • RSS

Tags: , ,
Filed under Windows 2003 |

3 Responses to “Kerberos MaxTokenSize value”

  1. RP Says:
    March 24th, 2009 at 12:23 pm

    If a RSOP gives and invalid namespace error after this, you may also need to rebuild the MOF:

    from the following folder:
    c:\program files\citrix\system32\citrix\wmi

    for /f %s in (‘dir /b *.mof *.mfl’)do mofcomp %s

  2. RP Says:
    March 24th, 2009 at 12:26 pm

    for /f %s in (‘dir /b *.mof *.mfl’)do mofcomp %s”

    as seen here

  3. Enos Says:
    May 17th, 2013 at 2:41 pm

    Instead of the maximum allowed Ms suggests 48k due to base64 encodings.

Leave a Reply

*