When you try to log on to a Windows Server 2003-based domain by using a domain user account, the logon request fails

When you try to log on to a Microsoft Windows Server 2003-based domain by using a domain user account, you may experience one of the following symptoms:

• The logon request fails, and you receive an error message that is similar to the following:
  The system cannot log you on due to the following error: During a logon attempt, the user’s security context accumulated too many security IDs. Please try again or consult your system administrator.
• You can log on, but you cannot access domain resources. For example, you cannot access shared folders or shared printers.

This problem may occur if you use an account that is a member of more than 1,024 security groups.

When a user logs on to a computer, the Local Security Authority (LSA) generates an access token for the user. This access token represents the security context of the user. The access token contains the user’s unique security identifier (SID). A SID is a unique value of variable length that is used to identify a user account or a security group in Windows. In Windows, a user, group, or computer that is automatically assigned a security identifier is known as a security principal. A SID controls the security principal's access to resources.

A security principal that belongs to one or more groups will have a SID for each group. However, because of system limitations, the field that contains the group membership SIDs in the access token can contain a maximum of 1,024 SIDs. If the access token contains more than 1,024 SIDs, the LSA cannot create an access token for the user or for another security principal during a logon attempt.

If the user is a member of more than 1024 security groups, the user cannot log on to the domain or cannot access domain resources.

To work around this problem, remove the user or other security principal from a sufficient number of security groups. This step lets the user or other security principal log on to the domain or access domain resources.

To troubleshoot this kind of resource access or logon problem, the Ntdsutil.exe command-line tool has been updated with a new feature that is named Group Membership Evaluation.

The Group Membership Evaluation feature creates a report that helps you identify the security groups to which the user or other security principal belongs. You can use this tool to make sure that the user or other security principal is not a member of more than 1024 security groups.

To update the Ntdsutil tool, apply this hotfix.

Service pack information

To resolve this problem, obtain the latest service pack for Windows Server 2003. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

Hotfix information

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site: Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Prerequisites

No prerequisites are required.

Restart requirement

You do not have to restart the computer after you apply this hotfix.

Hotfix replacement information

This hotfix does not replace any other hotfixes.

File information

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

Windows Server 2003, x86-based versions

Windows Server 2003, x64-based versions

Windows Server 2003, Itanium-based versions

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section. This problem was first corrected in Windows Server 2003 Service Pack 2.

For more information about how to address access token violation issues and how to use the Ndtsutil tool to evaluate group membership, see the "Addressing Problems Due to Access Token Limitation" white paper. To download this white paper, visit the following Microsoft Web site:For more information about the Ntdsutil tool, visit the following Microsoft Web site:For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base: