Windows DatabaseebooksStatistical Information

LWE10083 : Domain Logon Authentication fails with more than 1015 group memberships

Symptom:

Error message upon Login Failure : "...security context accumulated too many security IDs...."

Cause:

User is member of too many groups

Solution:

Logon Message:
"The system cannot log you on due to the following error: During a logon attempt, the user’s security context accumulated too many security IDs. Please try again or consult your system administrator"

In MS Windows Domains (W2k and W2k3) there is a maximum limit of 1024 groups, a domain user can be member of. however, because of 9 well-known SIDs inserted in the Local Security Authority (LSA), this count is limited to 1015.

If a domain user breaches this threshold (keep in mind transitive groups in a multi-domain environment!), he or she cannot logon any more until sufficient security groups are removed.

If this happens to a user as a member of the Administrators group, you need to reboot a domain controller by selecting the "Safe Mode" or "Safe Mode with Networking" startup option and log on to the domain controller by using the affected account.
After logon in Safe Mode, the administrator must identify and modify the membership of groups causing the login failure.

Note:
Logon in Safe Mode is possible, because Microsoft modified the token generation algorithm of the LSA, so that (in Safe Mode) the LSA can create an access token for the Administrator account no matter how many groups (transitive and non-transitive) the adminsitrator is member of.


Disclaimer:

The information provided in this document is intended for your information only. Lubby makes no claims to the validity of this information. Use of this information is at own risk!
Copyright © 2004-2011 Lubby (V3.0.10 Aug 2011)
Sponsored by Keskon.
Statistical information by Google Analytics