Article ID: 938118 - Last Review: April 6, 2009 - Revision: 3.0

How to use Group Policy to add the MaxTokenSize registry entry to multiple computers

View products that this article applies to.
Expand all | Collapse all

INTRODUCTION

On a domain controller that is running Windows 2000, Windows Server 2003, or Windows Server 2008, you can use Group Policy to add the following registry entry to multiple computers:
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
Entry: MaxTokenSize
Data type: REG_DWORD
Value: 65535
This article describes how to do this.
Back to the top

MORE INFORMATION

To use Group Policy to add the registry entry to multiple computers, follow these steps:
  1. Start Notepad.
  2. Copy the following text, and then paste the text into Notepad.
    CLASS MACHINE

CATEGORY !!KERB

                KEYNAME "SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters"
                POLICY !!MaxToken
                     VALUENAME "MaxTokenSize"
                         VALUEON NUMERIC 65535
                         VALUEOFF NUMERIC 0
                END POLICY

END CATEGORY

[strings]
KERB="Kerberos Maximum Token Size"
MaxToken="Kerberos MaxTokenSize"
  3. Save the Notepad document as MaxTokenSize.adm in the %windir%\Inf\ folder on the domain controller.
  4. Exit Notepad.
  5. Create a new Group Policy object (GPO) that is linked at the domain level or that is linked to the organizational unit (OU).

    Note The OU contains the computers to which you want to add the registry entry.
  6. Open Group Policy Object Editor. To do this, click Start, click Run, type gpedit.msc, and then click OK.
  7. In the console tree, expand Computer Configuration, expand Administrative Templates, and then click Administrative Templates.
  8. On the Action menu, point to All Tasks, and then click Add/Remove Templates.
  9. Click Add.
  10. Click to select the MaxTokenSize.adm file that you created in step 3, and then click Open.
  11. Click Close.
  12. On a Windows 2000-based domain controller, click to clear Show Policies Only on the View menu.

    On a Windows Server 2003-based domain controller, follow these steps:
    1. On the View menu, click Filtering.
    2. Click to clear the Only show policy settings that can be fully managed check box, and then click OK.
In Windows Server 2008 domains and in Windows Server 2008 R2 domains, you can do this by modifying an existing Group Policy Object (GPO) or by creating a new GPO. Make sure that the GPO is linked to the correct portion of your Active Directory hierarchy so that the GPO applies to the computer accounts of the computers that you want to modify. To create the MaxTokenSize value setting in a GPO, follow these steps:
  1. Open the Group Policy Management Console (Gpmc.msc). To do this, click Start, click Run, type gpmsc.msc, and then click OK.
  2. In the Group Policy Management Console, right-click a Group Policy object, and then click Edit to open the Group Policy Management Editor window.
  3. Expand Computer Configuration, expand Preferences, and then expand Windows Settings.
  4. Right-click Registry, point to New, and then click Registry Item. The New Registry Properties dialog box appears.
  5. In the Action list, clickCreate.
  6. In the Hive list, clickHKEY_LOCAL_MACHINE.
  7. In the Key Path list, click SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters.
  8. In the Value name box, type MaxTokenSize.
  9. In the Value type box, click to select the REG_DWORD check box.
  10. In the Value data box, type 65535.
  11. Next to Base, click to select the Decimal check box.
  12. Click OK.
Back to the top

REFERENCES

For more information about how to write custom .adm files, click the following article number to view the article in the Microsoft Knowledge Base:
225087  (http://support.microsoft.com/kb/225087/ ) Writing custom ADM files for System Policy Editor
Back to the top
APPLIES TO
  • Windows Server 2008 R2 Standard
  • Windows Server 2008 Standard
  • Windows Server 2008 Enterprise
  • Windows Server 2008 Datacenter
  • Microsoft Windows Server 2003 R2 Standard Edition (32-bit x86)
  • Microsoft Windows Server 2003 R2 Enterprise Edition (32-Bit x86)
  • Microsoft Windows Server 2003 R2 Datacenter Edition (32-Bit x86)
  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
  • Microsoft Windows Server 2003, Web Edition
  • Microsoft Windows 2000 Professional Edition
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Datacenter Server
Back to the top
Keywords: 
kbexpertiseinter kbhowto kbinfo KB938118
Back to the top
 

Get Help Now

Contact a support professional by E-mail, Online, or Phone

Article Translations