ds: logon request fails when groups > 1024
it's probably not logical for you to do this to yourself and thus there is not much to worry about. however, through a series of nesting groups, you can very well do this without thinking much about it. anyway, by the nature of the fact that I am posting this ... means I ran into it. :(
for clarity, the group limitation is actually 1015 when you factor in well-known SIDs.
the error message
this is what you will see when attempting to log in:
The system cannot log you on due to the following error: During a logon attempt, the user’s security context accumulated too many security IDs. Please try again or consult your system administrator.
detecting the problem
if you want to see how many groups you (or some other user account) is a member of, use the following kinds of commands (may produce different results*):
powershell
Get-QADUser myuserid | Select-Object -ExpandProperty allmemberof | measure
dsquery user -samid myuserid | dsget user -memberof -expand | find /c /v ""* when I ran them side by side, I had different counts. using dsquery, it lists all security groups. using get-qaduser, it seems to list only the groups by which you don't already have membership. basically, if someone created a group and added domain users as a nested group, get-qaduser doesn't show it.
more information
here are two great articles for this information:
Comments
Post a Comment