Users Who Belong to More Than 95 Groups Cannot Log On (118766)
The information in this article applies to:
- Microsoft Windows NT Server 3.1
- Microsoft Windows NT Server 3.5
- Microsoft Windows NT Workstation 3.1
- Microsoft Windows NT Workstation 3.5
- Microsoft Windows NT Advanced Server 3.1
This article was previously published under Q118766 SYMPTOMS
Any user in a Windows NT domain who is a member of more than 95 global or
local groups will experience problems during or after logging on.
If such a user attempts to log on from a Windows NT, Windows NT Advanced
Server, or Windows for Workgroups machine, the logon attempt will fail.
If such a user attempts to log from other types of clients, unusual and
misleading errors will be reported while logging on, but the logon attempt
will succeed. However, after logging on, misleading errors will be reported
when trying to access network resources on Windows NT machines in the
domain.
CAUSE
Currently, a Windows NT access token can contain at most 100 Security
Identifiers (SIDs). This restriction was imposed to place an upper limit on
memory requirements and search times associated with access tokens.
Windows NT Security requires an access token to be created for every user
who logs on to a Windows NT machine (either locally, by entering a username
and password, or remotely, by connecting to a shared resource).
Adding a user to 95 or more local or global groups results in more than 100
SIDs being associated with that user, once hidden built-in groups are taken
into consideration.
Any logon attempt by such a user fails, because the creation of the user's
access token fails with error C000015A - the number of SIDs associated with
the user exceeds the limit for an access token.
WORKAROUND
To work around this restriction, remove affected users from a number of
global or local groups, until they are members of fewer than 95 groups when
viewed in User Manager. They will then be able to log on as usual.
STATUS
Microsoft has confirmed this to be a problem in Windows NT and Windows NT
Advanced Server version 3.1 and Windows NT Workstation and Windows NT
Server version 3.5. We are researching this problem and will post new
information here in the Microsoft Knowledge Base as it becomes available.
REFERENCES
"Inside Windows NT" by Helen Custer, Section 3.3.1, "Access Tokens"
Modification Type: | Major | Last Reviewed: | 12/15/2003 |
---|
Keywords: | kbnetwork KB118766 |
---|
|