Article ID: 906208
Article Last Modified on 10/11/2007
APPLIES TO
- Microsoft Windows Server 2003, Enterprise Edition
- Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
- Microsoft Windows Server 2003, Standard Edition (32-bit x86)
- Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
- Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
- Microsoft Windows Server 2003, Datacenter x64 Edition
- Microsoft Windows Server 2003, Enterprise x64 Edition
SYMPTOMS
When you try to log on to a Microsoft Windows Server 2003-based domain by using a domain user account, you may experience one of the following symptoms:
- The logon request fails, and you receive an error message that is similar to the following:
- You can log on, but you cannot access domain resources. For example, you cannot access shared folders or shared printers.
CAUSE
This problem may occur if you use an account that is a member of more than 1,024 security groups.
When a user logs on to a computer, the Local Security Authority (LSA) generates an access token for the user. This access token represents the security context of the user. The access token contains the user’s unique security identifier (SID). A SID is a unique value of variable length that is used to identify a user account or a security group in Windows. In Windows, a user, group, or computer that is automatically assigned a security identifier is known as a security principal. A SID controls the security principal's access to resources.
A security principal that belongs to one or more groups will have a SID for each group. However, because of system limitations, the field that contains the group membership SIDs in the access token can contain a maximum of 1,024 SIDs. If the access token contains more than 1,024 SIDs, the LSA cannot create an access token for the user or for another security principal during a logon attempt.
If the user is a member of more than 1024 security groups, the user cannot log on to the domain or cannot access domain resources.
WORKAROUND
To work around this problem, remove the user or other security principal from a sufficient number of security groups. This step lets the user or other security principal log on to the domain or access domain resources.
To troubleshoot this kind of resource access or logon problem, the Ntdsutil.exe command-line tool has been updated with a new feature that is named Group Membership Evaluation.
The Group Membership Evaluation feature creates a report that helps you identify the security groups to which the user or other security principal belongs. You can use this tool to make sure that the user or other security principal is not a member of more than 1024 security groups.
To update the Ntdsutil tool, apply this hotfix.
Service pack information
To resolve this problem, obtain the latest service pack for Windows Server 2003. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
889100 How to obtain the latest service pack for Windows Server 2003
Hotfix information
Prerequisites
No prerequisites are required.
Restart requirement
You do not have to restart the computer after you apply this hotfix.
Hotfix replacement information
This hotfix does not replace any other hotfixes.
File information
The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
Windows Server 2003, x86-based versions
Date Time Version Size File name
--------------------------------------------------------------
10-Oct-2005 23:44 5.2.3790.422 281,088 Ntdsutil.exe
11-Oct-2005 00:53 5.2.3790.2545 312,320 Ntdsutil.exe
Windows Server 2003, x64-based versions
Date Time Version Size File name
--------------------------------------------------------------
10-Oct-2005 14:31 5.2.3790.2545 502,272 Ntdsutil.exe
10-Oct-2005 14:31 5.2.3790.2545 312,320 Wntdsutil.exe
Windows Server 2003, Itanium-based versions
Date Time Version Size File name -------------------------------------------------------------- 10-Oct-2005 23:44 5.2.3790.422 281,088 Ntdsutil.exe 11-Oct-2005 00:53 5.2.3790.2545 312,320 Ntdsutil.exe
STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section. This problem was first corrected in Windows Server 2003 Service Pack 2.
MORE INFORMATION
For more information about how to address access token violation issues and how to use the Ndtsutil tool to evaluate group membership, see the "Addressing Problems Due to Access Token Limitation" white paper. To download this white paper, visit the following Microsoft Web site:
For more information about the Ntdsutil tool, visit the following Microsoft Web site:
http://technet2.microsoft.com/windowsserver/en/library/5b1d983d-ffab-4514-a95e-6aa0420dacb51033.mspx
For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
816915 New file naming schema for Microsoft Windows software update packages
824684 Description of the standard terminology that is used to describe Microsoft software updates
Keywords: kbtshoot kbbug kbfix kbqfe kbpubtypekc kbhotfixserver kbwinserv2003sp2fix KB906208
