locked
Can't add users or groups to local Administrators group on Server 2008 server in another domain RRS feed

  • Question

  • I have a group we'll call Group1 in a domain we'll call Domain1.  I have several Domain1 user accounts (User1, User2, and User3 for example) added to Domain1\Group1.  I also have a domain (we'll call Domain2) that trusts Domain1 (one-way trust and in the same forest).  In Domain2, I have a Server 2008 R2 Enterprise server (Server2) that has Domain1\Group1 added to the local Administrators group.  I log onto it with Domain1\User1 (who is a member of Group1).  Success.  Now to the problem.  I navigate to the local Administrators group on Server2, I click the "Add" button, I type in Domain1\UserX (knowing UserX exists in Domain1, then I click "Check Names" - can't find it.  However, I try logging on with the User2 account (also a member of the same Domain1\Group1 group) and I'm able to find the account and add it when clicking "Check Names" with no issue.  What could be wrong or different with User1's account that would prevent it from doing something where another user with the same access has no issue?

    Friday, September 14, 2012 7:00 PM

Answers

  • Cicely, thanks for your feedback.  I've made sure to set the location to Domain1 when searching and I know users can connect to it from Domain2 because we have the trust in place between Domain1 and 2.  I've compared the two users and User1 has a couple more group memberships in addition to all of User2's memberships.

    After more digging, we found the following event:

    "The kerberos SSPI package generated an output token of size 19121 bytes, which was too large to fit in the token buffer of size 12000 bytes, provided by process id 3200.

    The output SSPI token being too large is probably the result of the user User1@Domain1.com being a member of a large number of groups.

    It is recommended to minimize the number of groups a user belongs to. If the problem can not be corrected by reduction of the group memberships of this user, please contact your system administrator to increase the maximum token size, which in term is configured machine-wide via the following registry value: HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters\MaxTokenSize."

    We're going to try cleaning up the User1's group memberships to see if that makes a difference.


    Minh Ramsden

    • Marked as answer by minhsky Friday, September 21, 2012 8:44 PM
    Monday, September 17, 2012 4:59 PM
  • FIXED!  The error message from my last post pointed us right to the solution.  We found out that the user account having the issues was indeed related to the kerberos output token size.  The token apparently gets created as a result of Active Directory de-referencing the account and all of its group memberships.  Well, one of the user's groups was itself a member of about 30 other groups and the de-referencing drove up the size of the output token past the limit of the token buffer.  

    Since the user no longer needed this particular group access, we removed him and all is well.


    Minh Ramsden

    • Marked as answer by minhsky Friday, September 21, 2012 8:44 PM
    Friday, September 21, 2012 8:44 PM

All replies

  • Are you using AGDULP (Accounts, Global, Universal, Domain Local, Permissions)method to add user in groups.

    Add the User Accounts to Global Groups> Global Groups to Universal Group> Universal Groups to Domain Local Groups.
    http://technet.microsoft.com/en-us/library/cc772808%28WS.10%29.aspx


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Saturday, September 15, 2012 7:29 AM
  • Hi,

    To add users in other domains you need to:
    1. select correct location when you add it.
    2. be able to connect the domain controllers in that domain.
    3. have permission to query data in that domain.

    Check membership of user1 and user2 again and compare them, could you find some hints?

    Regards,
    Cicely

    • Proposed as answer by Sandesh Dubey Monday, September 17, 2012 8:57 AM
    Monday, September 17, 2012 8:02 AM
  • Because the domain user group is a domain local group, it can have members from any domain but permission can be defined to the resources in its own group. Read below group scope to understand more.

    Group scope

    http://technet.microsoft.com/en-us/library/cc755692%28v=ws.10%29.aspx

    The best way to assign permission to the resources in other domain is using AGUDLP (Accounts> Global>Universal>Domain Local->Permissions) method to add users/groups in other domain.
    -Add the User Accounts to Global Groups

    -Global Groups to Universal Group

    -Universal Groups to Domain Local Groups

    - Domain Local Groups to the group you want to assign the permission.

    It is better to always use groups instead of the individual to assign permission.

    http://msmvps.com/blogs/acefekay/archive/2012/01/06/using-group-nesting-strategy-ad-best-practices-for-group-strategy.aspx


    Awinish Vishwakarma - MVP

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Monday, September 17, 2012 9:02 AM
  • Cicely, thanks for your feedback.  I've made sure to set the location to Domain1 when searching and I know users can connect to it from Domain2 because we have the trust in place between Domain1 and 2.  I've compared the two users and User1 has a couple more group memberships in addition to all of User2's memberships.

    After more digging, we found the following event:

    "The kerberos SSPI package generated an output token of size 19121 bytes, which was too large to fit in the token buffer of size 12000 bytes, provided by process id 3200.

    The output SSPI token being too large is probably the result of the user User1@Domain1.com being a member of a large number of groups.

    It is recommended to minimize the number of groups a user belongs to. If the problem can not be corrected by reduction of the group memberships of this user, please contact your system administrator to increase the maximum token size, which in term is configured machine-wide via the following registry value: HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters\MaxTokenSize."

    We're going to try cleaning up the User1's group memberships to see if that makes a difference.


    Minh Ramsden

    • Marked as answer by minhsky Friday, September 21, 2012 8:44 PM
    Monday, September 17, 2012 4:59 PM
  • Hi Minh,

    Any update with it?

    Regards,
    Cicely

    Friday, September 21, 2012 8:10 AM
  • FIXED!  The error message from my last post pointed us right to the solution.  We found out that the user account having the issues was indeed related to the kerberos output token size.  The token apparently gets created as a result of Active Directory de-referencing the account and all of its group memberships.  Well, one of the user's groups was itself a member of about 30 other groups and the de-referencing drove up the size of the output token past the limit of the token buffer.  

    Since the user no longer needed this particular group access, we removed him and all is well.


    Minh Ramsden

    • Marked as answer by minhsky Friday, September 21, 2012 8:44 PM
    Friday, September 21, 2012 8:44 PM
  • Hi,

    Nice to hear your issue had been resolved and thanks for your sharing:)

    Regards,
    Cicely

    Monday, September 24, 2012 6:57 AM