sidHistory and token sizes

  • Thread starter Thread starter Neil Ruston
  • Start date Start date
N

Neil Ruston

I am examining the option of whether to use sidhistory or
not and am concerned that the max token size may be
exceeded if we use this approach.

e.g. If we copy groups with sidhistory and add users to
these groups, each user's token now has 2 SID entries per
group (primary SID plus sidhistory), which in effect
doubles the token size(?)

I have also heard that global and local groups consume
different amounts of space in a token??

Questions:
1. What is the default max token size?
2. How much space do user, global and local group SIDs
consume in a token? Are they really different?
3. Assuming 2 SID entries in a user's token per group
membership, how may groups can the new user be a direct
member of?

Many thanks in advance,
Neil
 
Found the answers:

Default max token size is 12,000 bytes
Sufficient for ~ 120 groups

http://support.microsoft.com/default.aspx?scid=kb;en-
us;327825

TokenSize = 1200 + 40d + 8s
This formula uses the following values:
d: The number of domain local groups a user is a member of
plus the number of universal groups outside the user's
account domain plus the number of groups represented in
security ID (SID) history.
s: The number of security global groups that a user is a
member of plus the number of universal groups in a user's
account domain.
1200: The estimated value for ticket overhead. This value
can vary depending on factors such as DNS domain name
length, client name, and other factors

Neil
 
Back
Top