Kerberos MaxTokenSize value

Posted on March 23rd, 2009

Windows enumerates the groups the users is a member of to determine which Group Policies to apply. If the user is a member of too many groups (from testing around 165), this enumeration fails and no group policy is applied.

The default setting on Windows 2003 x64 servers is 12000 for the Kerberos MaxTokenSize entry. This is not enough for large environments.

Changing this entry to the maximum available (65535) resolves the issue and enables all the user groups to be enumerated and the correct group policies applied.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters]
“MaxTokenSize”=dword:0000ffff

The server will need a reboot.

Tags: group policy, Kerberos, maxtokensize
Filed under Windows 2003 | 2 Comments »

Altiris
Applications
Appsense
Citrix
Microsoft
- Windows 2003
- Windows 2008
RSA SecurID
Scripts/Reg
Uncategorized

use xe.exe to start/shutdown vm’s on XenServer
Customize Page title & favicon on Citrix Web Interface 5.x
Customize logos on Citrix Web Interface 5.x
Customize Page title & favicon on Citrix Access Gateway Enterprise Edition
Customize logos on Citrix Access Gateway Enterprise Edition Logon Screen

Register
Log in
Entries RSS
Comments RSS
WordPress.org

Richard Parmiter

Virtualisation blog and Knowledge Base

Kerberos MaxTokenSize value

Ads

Categories

Recent Posts

Ads

Citrix Community

Admin