Kerberos MaxTokenSize value
Posted on March 23rd, 2009
Windows enumerates the groups the users is a member of to determine which Group Policies to apply. If the user is a member of too many groups (from testing around 165), this enumeration fails and no group policy is applied.
The default setting on Windows 2003 x64 servers is 12000 for the Kerberos MaxTokenSize entry. This is not enough for large environments.
Changing this entry to the maximum available (65535) resolves the issue and enables all the user groups to be enumerated and the correct group policies applied.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters]
“MaxTokenSize”=dword:0000ffff
The server will need a reboot.
Tags: group policy, Kerberos, maxtokensize
Filed under Windows 2003 | 2 Comments »
Slow logons at ‘applying registry policy’ stage on a Windows 2003 Citrix Server
Posted on September 24th, 2008
Problem
When a user logs onto a Citrix server, it can take up to 10 minutes at ‘applying registry policy’ during the logon process.
Background
The server specification was as follows:
- Windows 2003 R2 x64 Standard Edition
- Citrix Presentation Server 4.5 HFRP02.
The server was member of an Windows 2003 Active Directory domain with many DC’s spread amongst different sites. It was in an Active Directory ‘sites and services’ site group along with many other Citrix servers and configured for 3 DC’s split over 2 physical locations.
Tags: AD Site, apply group policy, applying group policy, applying registry policy, dfs, group policy, OpLocksDisabled, opportunistic locking, registry.pol, SetRegistryValue, slow, slow login, slow logon, sysvol, UserEnvDebugLevel
Filed under Windows 2003 | 3 Comments »
Group Policy Editor – Disabling custom.adm template filtering
Posted on September 8th, 2008
When editing a Group Policy in Group Policy Object Editor (gpedit.msc), the settings may be missing from a recently added custom template (.adm).
The adm template may be configured with a filter that hides the settings in it’s default view.
To disable the filter so that all settings can be edited, do the following:
Right click on the relevant user configuration | administrative template and select filtering
Unselect the option to ‘only show policy settings that can be fully managed’
All the settings will now appear and can be managed.
Tags: filter, gpedit, GPO, group policy
Filed under Windows 2003 | No Comments »