During a logon attempt, the user’s security context accumulated too many security IDs

Hello all,

Hope this post finds you in good health and spirit.

This post is regarding to address an issue :- During a logon attempt, the user’s security context accumulated too many security IDs.

This error comes when the user’s access token exceeds to 1015 group memberships, and at which point the user is blocked from logging on system with the above error.  

The userโ€™s access token holds an entry for each group which user is a member of, either directly or through nested groups. On top of the entries that are added by group membership, a number of additional entries are added by the system. During a logon attempt, the user’s security context accumulated too many security IDs.

This is a very unusual situation. Remove the user from some groups to reduce the number of security IDs to incorporate into the security context but before removal of any groups from user id, impact assessment must be done to avoid any other impact.

To reduce the Kerberos Ticket Size you can:

  •  Reduce/consolidate group membership
  • Clean up SID History
  • Limit the number of users that are configured to use “trusted for delegation”. The account that are configured to use “trusted for delegation” the buffer requirements for each SID may double.

You can export the nested group memberships via powershell script or command line .below is the powershell script and command to export the nested group memberships.

function GetNestedADGroupMembership {
Param([parameter(Mandatory=$true)] $user,
[parameter(Mandatory=$false)] $grouphash = @{})

$groups = @(Get-ADPrincipalGroupMembership -Identity $user -Server windowstechno.local | select -ExpandProperty distinguishedname)
foreach ($group in $groups) {
if ( $grouphash[$group] -eq $null) {
$grouphash[$group] = $true
$group
GetNestedADGroupMembership $group $grouphash
}
}
}
GetNestedADGroupMembership “CN=pankaj.kumar,OU=User Accounts,OU=User Directory,DC=windowstechno,DC=local”

you can also fetch the nested groups details via below command then identify the group details which need to be removed from user’s account.

ntdsutil “g m e” “v ON” “r windowstechno.local pankaj.kumar” “q” “q”

There is a hard limit of 1,015 groups a user can be a member of. If a user tries to log into a computer by using a local or domain account and they are a member of more than 1,015 groups they will get this Logon Message: The system cannot log you on due to the following error: During a logon attempt, the userโ€™s security context accumulated too many security IDs. Please try again or consult your system administrator.

So, thatโ€™s all in this blog. I will meet you soon with next stuff .Have a nice day !!!

Guys please donโ€™t forget to like and share the post. You can also share the feedback on below windows techno email id.

If you have any questions feel free to contact us on admin@windowstechno.com also follow us on facebook@windowstechno to get updates about new blog posts.

How useful was this post?

Click on a star to rate it!