With this one liner I managed to get the recursive memberships and more important the count of that list. This is important to know when you might run into a MaxTokenSize issue.

Normally a single user has fairly limited token where all the SID (security ID’s) of each group (of which the user is member of in a direct or indirect way) is stored. When the token is full it is trimmed and in a random way some memberships are “forgotten”.

The token size can be stretched to a max of 65535 bytes. You do this by editing the registry.

registrykey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
value: MaxTokenSize (REG_DWORD)
data: 0xFFFF (65535)

But even by stretching up the token size it still isn’t unlimited. Because the length of a SID is not fixed, there is no fixed number of groups an users can be member of without problems. But the standard value of the token size will result in about 200 group memberships. The max size will result in a max of 1015 groups but that is never the reality.

My findings are that the max is still reached above 500 groups. When troubleshooting it is very nice to know what the count of memberships is of a specific user.

This is the Powershell line I use for that. It requires the Quest ARS cmdlets:

(Get-QADMemberOf "<domainname>\<username>" -Indirect).count