3

For each client, I have set up a main folder and service subfolders. These folders have Access-Based Enumberation (ABE) enabled and users belonging to the correct Security Groups (SGs) are able to view and access permitted folders while other folders are hidden away due to ABE. However, I've gotten to the point where we have more than 800 clients, each having 2-3 services, resulting in some users belonging to more than 1010 SGs. This resulted in those users not able to log in, as explained in https://support.microsoft.com/en-us/kb/328889.

So, if we can't use SGs and ABE in a scalable manner, what other methods work better? It's not by increasing the MaxTokenSize as that has no bearing on the LSA/login portion. I already increased it to 48000 and it doesn't help.

Regards,

John Babbitt
Systems Administrator

Ashland Support Group
  • 31
  • 1
  • Could you explain a little more about what the client/folder relationship is. Is a client a client PC? What do the folders do? Are some folders seen by multiple clients? Etc. – Simon Catlin Jan 03 '17 at 20:28
  • I'm speaking of an actual folder that was created for an actual client/company/person. There is a root folder that holds all of our client folders, each having its own security group. Then, within these individual client folders, we have service folders. Each service has its own security group as well. This helps with ABE to show only relevant clients and services that an user should be able to access. But, that was before I learned there was a limit of 1024 SIDs allowed upon logging in. I need a replacement if I can't increase the limit, which has nothing to do with MaxTokenSize. – Ashland Support Group Jan 03 '17 at 20:44
  • By the way, access is dynamically granted to different users for different tasks. I otherwise would've made each folder accessible permanently to specific users but that's not the case. User assignment to folders change everyday and using Security Groups **was** the best way to go about it until I learned of the limitation. – Ashland Support Group Jan 03 '17 at 20:58
  • And, yes, multiple, selected users may work on the same client but each user have their own set of clients, which changes throughout each day by adding and removing users from specific security groups. – Ashland Support Group Jan 03 '17 at 21:06
  • And, no, we can't just add/remove specific users from each folder daily, which some are very large, and resulting in massive changes, causing backups to be big, slow, etc. Thus, the reason why we use Security Groups instead, i.e., folders themselves never change, just members of each SGs. – Ashland Support Group Jan 03 '17 at 21:32
  • Need more details, server OS etc. What happened when you tried DAC? – Jim B Jan 04 '17 at 00:53
  • What OS version are the Clients? Servers? Domain Controllers? Hotfix may need to be installed on all. Servers 2012 or later do not need the hotfix, they support larger token size by default. Have you actually deployed the KB328889 hotfix or only set the registry key? Note where article states `If you use the hotfix that is described in this article, you do not have to modify the MaxTokenSize registry value in most cases.` – Clayton Jan 04 '17 at 16:01
  • The users are using Windows 7 to 10, plus Server 2008 R2 to 2016. **All** have this hardcoded Windows limit of 1024 SIDs for LSA/login, even when MaxTokenSize is set to 48000 decimal per KB328889. I have no issue setting users permissions by putting them in assigned SGs, which are already correctly applied to the folders, i.e., no need to manually use ICACLS to modify DAC to apply the SGs to folders. It's **Windows** that has an issue of handling more than 1024 SIDs assigned to users. I had to remove users from some SGs to get it down to less than 1024 SIDs before they could log in again. – Ashland Support Group Jan 04 '17 at 21:46

0 Answers0