During a logon attempt, the user’s security context accumulated too many security IDs
Hello All,
Hope this post finds you in good health and spirit.
This post is regarding to address an issue :- During a logon attempt, the user’s security context accumulated too many security IDs.
During a logon attempt, the user’s security context accumulated too many security IDs
This error comes when the user’s access token exceeds to 1015 group memberships, and at which point the user is blocked from logging on system with the above error.
The user’s access token holds an entry for each group which user is a member of, either directly or through nested groups. On top of the entries that are added by group membership, a number of additional entries are added by the system. During a logon attempt, the user’s security context accumulated too many security IDs.
This is a very unusual situation. Remove the user from some groups to reduce the number of security IDs to incorporate into the security context but before removal of any groups from user id, impact assessment must be done to avoid any other impact.
A domain migration that uses SID History is another frequent source of this problem. When SID History is used, a user’s access token might double in size, thus if the user had only 600 groups in it prior to the migration, it could later surpass the 1015 limit and prohibit them from signing on.
To reduce the Kerberos Ticket Size you can:
- Reduce/consolidate group membership
- Clean up SID History
- Limit the number of users that are configured to use “trusted for delegation”. The account that are configured to use “trusted for delegation” the buffer requirements for each SID may double.
You can export the nested group memberships via powershell script or command line .below is the powershell script and command to export the nested group memberships.
function GetNestedADGroupMembership {
Param([parameter(Mandatory=$true)] $user,
[parameter(Mandatory=$false)] $grouphash = @{})$groups = @(Get-ADPrincipalGroupMembership -Identity $user -Server windowstechno.local | select -ExpandProperty distinguishedname)
foreach ($group in $groups) {
if ( $grouphash[$group] -eq $null) {
$grouphash[$group] = $true
$group
GetNestedADGroupMembership $group $grouphash
}
}
}
GetNestedADGroupMembership “CN=pankaj.kumar,OU=User Accounts,OU=User Directory,DC=windowstechno,DC=local”
you can also fetch the nested groups details via below command then identify the group details which need to be removed from user’s account.
ntdsutil “g m e” “v ON” “r windowstechno.local pankaj.kumar” “q” “q”
There is a hard limit of 1,015 groups a user can be a member of. If a user tries to log into a computer by using a local or domain account and they are a member of more than 1,015 groups they will get this Logon Message: The system cannot log you on due to the following error: During a logon attempt, the user’s security context accumulated too many security IDs. Please try again or consult your system administrator.
So, that’s all in this blog. I will meet you soon with next stuff .Have a nice day !!!
Recommended content
RODC Installation Guide- Step by step guide to install read only domain controller
RODC Filtered Attribute Set
Installing and configuring a RODC in Windows Server-2012
How to find the GUID of Domain Controller
Understanding Group Policy Preferences
Group Policy Verification Tool GPOTool Exe
Group Policy Health Check on Specific Domain Controller
Netlogon Folder in Active Directory
Custom Attributes in Active Directory
Tombstone Lifetime of My Active Directory Forest
Computers AD Site From the Command Line
Active Directory Database Integrity
Disabling and Enabling the Outbound Replication
DFS Replication Service Stopped Replication
Strict Replication Consistency
The replication operation failed because of a schema mismatch between the servers involved
Troubleshooting ad replication error 8418 the replication operation failed because of a schema mismatch between the servers
Replication information in txt file
Repadmin Replsummary
Enabling the outbound replication
Guys please don’t forget to like and share the post.Also join our WindowsTechno Community and where you can post your queries/doubts and our experts will address them .
You can also share the feedback on below windows techno email id.
If you have any questions feel free to contact us on admin@windowstechno.com also follow us on facebook@windowstechno to get updates about new blog posts.