| Author | Messages | |
ArthurKitchens
Posts:2
 | | 11/14/2005 1:01 AM |
| Might anyone know what actually happens in this situation? Do sids in the token up to maxtokensize get evalutated ( is sid order within the token determined by sequence of group memberships additions , if order even matter)? None of them? Something completely different from either of these two scenerios? Thanks in advance.
A. E. Kitchens
phone 904-301-3578
fax 904-301-3625
Atonally DO:RE:MI:FA:SO:LA:TI:DO
Felis demulcta mitis
"Reality is that which, when you stop believing in it, doesn't go away".
-- Philip K. Dick | | | |
| AD000001348
Posts:0
| | 11/14/2005 3:05 AM |
| Can you be more specific? Are you asking if the order of the tokens is FIFO
related to group additions and if so, is it evaluated up to that point when
the token is bloated beyond the maxtokensize?
Is there a reason you would want to know that? I'm thinking that you'd get
unpredictable results to make this worthwhile and you'll be better off
fixing the issue in the first place. Unless this is for some sort of audit
after the fact and you want to prove/disprove when the issue would occur for
that sake.
There's a utility (name escapes me at the moment) that lets you evaluate the
token size on a command line. You may be able to setup some quick tests and
see exactly what happens in this situation. I'll try to remember the name
of the utility if somebody else doesn't chime in with it first.
Al
From: Kitchens Arthur E
Reply-To: ActiveDir@xxxxxxxxxxxxxxxxxx
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] Token Bloat
Date: Mon, 14 Nov 2005 07:59:01 -0500
Might anyone know what actually happens in this situation? Do sids in
the
token up to maxtokensize get evalutated ( is sid order within the token
determined by sequence of group memberships additions , if order even
matter)? None of them? Something completely different from either of these
two scenerios? Thanks in advance.
A. E. Kitchens
phone 904-301-3578
fax 904-301-3625
Atonally DO:RE:MI:FA:SO:LA:TI:DO
Felis demulcta mitis
"Reality is that which, when you stop believing in it, doesn't go away".
-- Philip K. Dick
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| ZJORZ
Posts:133
| | 11/14/2005 3:14 AM |
| see:
Tokensz
http://www.microsoft.com/downloads/details.aspx?FamilyID=4a303fa5-cf20-43fb-9483-0f0b0dae265c&displaylang=en
Authentication Fails Due to User PAC
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Operations/3872f0d7-e4b3-49ed-9a4b-1fefbf0d4547.mspx
Cheers
Jorge
________________________________
Van: ActiveDir-owner@xxxxxxxxxxxxxxxxxx namens Al Mulnick
Verzonden: ma 14-11-2005 16:03
Aan: ActiveDir@xxxxxxxxxxxxxxxxxx
Onderwerp: RE: [ActiveDir] Token Bloat
Can you be more specific? Are you asking if the order of the tokens is FIFO
related to group additions and if so, is it evaluated up to that point when
the token is bloated beyond the maxtokensize?
Is there a reason you would want to know that? I'm thinking that you'd get
unpredictable results to make this worthwhile and you'll be better off
fixing the issue in the first place. Unless this is for some sort of audit
after the fact and you want to prove/disprove when the issue would occur for
that sake.
There's a utility (name escapes me at the moment) that lets you evaluate the
token size on a command line. You may be able to setup some quick tests and
see exactly what happens in this situation. I'll try to remember the name
of the utility if somebody else doesn't chime in with it first.
Al
>From: Kitchens Arthur E
>Reply-To: ActiveDir@xxxxxxxxxxxxxxxxxx
>To: ActiveDir@xxxxxxxxxxxxxxxxxx
>Subject: [ActiveDir] Token Bloat
>Date: Mon, 14 Nov 2005 07:59:01 -0500
>
> Might anyone know what actually happens in this situation? Do sids in
>the
>token up to maxtokensize get evalutated ( is sid order within the token
>determined by sequence of group memberships additions , if order even
>matter)? None of them? Something completely different from either of these
>two scenerios? Thanks in advance.
>
> A. E. Kitchens
>phone 904-301-3578
>fax 904-301-3625
>Atonally DO:RE:MI:FA:SO:LA:TI:DO
>Felis demulcta mitis
>
>
>"Reality is that which, when you stop believing in it, doesn't go away".
> -- Philip K. Dick
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| bdesmond
Posts:416
| | 11/14/2005 3:21 AM |
| I don't know about a command line utility, but. Kerbtray lets you evaluate
token and ticket sizes, I believe.
Thanks,
Brian Desmond
brian@xxxxxxxxxxxxxxxx
c - 312.731.3132
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Al Mulnick
Sent: Monday, November 14, 2005 10:03 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Token Bloat
Can you be more specific? Are you asking if the order of the tokens is FIFO
related to group additions and if so, is it evaluated up to that point when
the token is bloated beyond the maxtokensize?
Is there a reason you would want to know that? I'm thinking that you'd get
unpredictable results to make this worthwhile and you'll be better off
fixing the issue in the first place. Unless this is for some sort of audit
after the fact and you want to prove/disprove when the issue would occur for
that sake.
There's a utility (name escapes me at the moment) that lets you evaluate the
token size on a command line. You may be able to setup some quick tests and
see exactly what happens in this situation. I'll try to remember the name
of the utility if somebody else doesn't chime in with it first.
Al
>From: Kitchens Arthur E
>Reply-To: ActiveDir@xxxxxxxxxxxxxxxxxx
>To: ActiveDir@xxxxxxxxxxxxxxxxxx
>Subject: [ActiveDir] Token Bloat
>Date: Mon, 14 Nov 2005 07:59:01 -0500
>
> Might anyone know what actually happens in this situation? Do sids in
>the
>token up to maxtokensize get evalutated ( is sid order within the token
>determined by sequence of group memberships additions , if order even
>matter)? None of them? Something completely different from either of these
>two scenerios? Thanks in advance.
>
> A. E. Kitchens
>phone 904-301-3578
>fax 904-301-3625
>Atonally DO:RE:MI:FA:SO:LA:TI:DO
>Felis demulcta mitis
>
>
>"Reality is that which, when you stop believing in it, doesn't go away".
> -- Philip K. Dick
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| ArthurKitchens
Posts:2
| | 11/14/2005 4:16 AM |
| From the other response I saw from Jorge de Almeida Pinto (thanks!) I'm thinking that maybe my confusion is stemming from what this really is , a kereberos ticketing issue, not general access. Is that a correct or incorrect assumption? We have users that are in an inordinate number of groups (~213 is the grand prize winner), and sidhistories of various sizes are involved. We have seen this before, and addressed it by limited cleaning of sidhistory. But when we stumbled across these bloated group memberships (and bloated sidhistories), I expected the associated dysfunction to be wide spread. That has not been reported. Also, I cloned the 213 group user and didn't see any access problems in limited and unscientific testing with the copy. . I guess my question should have been "why would this not be a bigger problem?" We have a number of users who are in 70+ groups (and that's not even counting the sidhistory contents for those groups, which varies). The tokenz tool will be useful but I'm sure a bunch of these users are over the limit already. thanks
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Al Mulnick
Sent: Monday, November 14, 2005 10:03 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Token Bloat
Can you be more specific? Are you asking if the order of the tokens is FIFO related to group additions and if so, is it evaluated up to that point when the token is bloated beyond the maxtokensize?
Is there a reason you would want to know that? I'm thinking that you'd get unpredictable results to make this worthwhile and you'll be better off fixing the issue in the first place. Unless this is for some sort of audit after the fact and you want to prove/disprove when the issue would occur for that sake.
There's a utility (name escapes me at the moment) that lets you evaluate the token size on a command line. You may be able to setup some quick tests and see exactly what happens in this situation. I'll try to remember the name of the utility if somebody else doesn't chime in with it first.
Al
>From: Kitchens Arthur E
>Reply-To: ActiveDir@xxxxxxxxxxxxxxxxxx
>To: ActiveDir@xxxxxxxxxxxxxxxxxx
>Subject: [ActiveDir] Token Bloat
>Date: Mon, 14 Nov 2005 07:59:01 -0500
>
> Might anyone know what actually happens in this situation? Do sids
>in the token up to maxtokensize get evalutated ( is sid order within
>the token determined by sequence of group memberships additions , if
>order even matter)? None of them? Something completely different from
>either of these two scenerios? Thanks in advance.
>
> A. E. Kitchens
>phone 904-301-3578
>fax 904-301-3625
>Atonally DO:RE:MI:FA:SO:LA:TI:DO
>Felis demulcta mitis
>
>
>"Reality is that which, when you stop believing in it, doesn't go away".
> -- Philip K. Dick
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| AD000001348
Posts:0
| | 11/14/2005 5:31 AM |
| I guess the best questoin to ask at this point is the type of groups the
user is a member of. Not all groups take the same amount of room.
Additionally, there were some changes btwn 2000 RTM and 2003 SP1 that took
place that affected the PAC behavior. It's possible you don't see more of
this because size is important vs the quantity (you'll not hear that very
often, I'll wager ;)
One additional question to ask here: what versions of DC are you running and
at what functional level?
Al
From: Kitchens Arthur E
Reply-To: ActiveDir@xxxxxxxxxxxxxxxxxx
To: "'ActiveDir@xxxxxxxxxxxxxxxxxx'"
Subject: RE: [ActiveDir] Token Bloat
Date: Mon, 14 Nov 2005 10:32:19 -0500
>From the other response I saw from Jorge de Almeida Pinto (thanks!) I'm
thinking that maybe my confusion is stemming from what this really is , a
kereberos ticketing issue, not general access. Is that a correct or
incorrect assumption? We have users that are in an inordinate number of
groups (~213 is the grand prize winner), and sidhistories of various sizes
are involved. We have seen this before, and addressed it by limited
cleaning
of sidhistory. But when we stumbled across these bloated group memberships
(and bloated sidhistories), I expected the associated dysfunction to be
wide
spread. That has not been reported. Also, I cloned the 213 group user and
didn't see any access problems in limited and unscientific testing with the
copy. . I guess my question should have been "why would this not be a
bigger
problem?" We have a number of users who are in 70+ groups (and that's not
even counting the sidhistory contents for those groups, which varies). The
tokenz tool will be useful but I'm sure a bunch of these users are over the
limit already. thanks
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx
] On Behalf Of Al Mulnick
Sent: Monday, November 14, 2005 10:03 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Token Bloat
Can you be more specific? Are you asking if the order of the tokens is
FIFO
related to group additions and if so, is it evaluated up to that point when
the token is bloated beyond the maxtokensize?
Is there a reason you would want to know that? I'm thinking that you'd get
unpredictable results to make this worthwhile and you'll be better off
fixing the issue in the first place. Unless this is for some sort of audit
after the fact and you want to prove/disprove when the issue would occur
for
that sake.
There's a utility (name escapes me at the moment) that lets you evaluate
the
token size on a command line. You may be able to setup some quick tests
and
see exactly what happens in this situation. I'll try to remember the name
of the utility if somebody else doesn't chime in with it first.
Al
>From: Kitchens Arthur E
>Reply-To: ActiveDir@xxxxxxxxxxxxxxxxxx
>To: ActiveDir@xxxxxxxxxxxxxxxxxx
>Subject: [ActiveDir] Token Bloat
>Date: Mon, 14 Nov 2005 07:59:01 -0500
>
> Might anyone know what actually happens in this situation? Do sids
>in the token up to maxtokensize get evalutated ( is sid order within
>the token determined by sequence of group memberships additions , if
>order even matter)? None of them? Something completely different from
>either of these two scenerios? Thanks in advance.
>
> A. E. Kitchens
>phone 904-301-3578
>fax 904-301-3625
>Atonally DO:RE:MI:FA:SO:LA:TI:DO
>Felis demulcta mitis
>
>
>"Reality is that which, when you stop believing in it, doesn't go away".
> -- Philip K. Dick
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| ArthurKitchens
Posts:2
| | 11/14/2005 5:44 AM |
| Dc's and functionality level are Windows Server 2003. groups are domain global groups for the most part (and those are the points of contention as users are accessing resources acl'ed with the old, pre-migration, groups via sidhistory(s)).. Not sure about sizes but from sectok etc we know there's more than 70-100 sid's in some of these tokens, way more.
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Al Mulnick
Sent: Monday, November 14, 2005 12:30 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Token Bloat
I guess the best questoin to ask at this point is the type of groups the user is a member of. Not all groups take the same amount of room.
Additionally, there were some changes btwn 2000 RTM and 2003 SP1 that took place that affected the PAC behavior. It's possible you don't see more of this because size is important vs the quantity (you'll not hear that very often, I'll wager ;)
One additional question to ask here: what versions of DC are you running and at what functional level?
Al
>From: Kitchens Arthur E
>Reply-To: ActiveDir@xxxxxxxxxxxxxxxxxx
>To: "'ActiveDir@xxxxxxxxxxxxxxxxxx'"
>Subject: RE: [ActiveDir] Token Bloat
>Date: Mon, 14 Nov 2005 10:32:19 -0500
>
> >From the other response I saw from Jorge de Almeida Pinto (thanks!)
> >I'm
>thinking that maybe my confusion is stemming from what this really is ,
>a kereberos ticketing issue, not general access. Is that a correct or
>incorrect assumption? We have users that are in an inordinate number of
>groups (~213 is the grand prize winner), and sidhistories of various
>sizes are involved. We have seen this before, and addressed it by
>limited cleaning of sidhistory. But when we stumbled across these
>bloated group memberships (and bloated sidhistories), I expected the
>associated dysfunction to be wide spread. That has not been reported.
>Also, I cloned the 213 group user and didn't see any access problems
>in limited and unscientific testing with the copy. . I guess my
>question should have been "why would this not be a bigger problem?" We
>have a number of users who are in 70+ groups (and that's not even
>counting the sidhistory contents for those groups, which varies). The
>tokenz tool will be useful but I'm sure a bunch of these users are over
>the limit already. thanks
>
>-----Original Message-----
>From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
>[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> ] On Behalf Of Al Mulnick
>Sent: Monday, November 14, 2005 10:03 AM
>To: ActiveDir@xxxxxxxxxxxxxxxxxx
>Subject: RE: [ActiveDir] Token Bloat
>
>Can you be more specific? Are you asking if the order of the tokens is
>FIFO related to group additions and if so, is it evaluated up to that
>point when the token is bloated beyond the maxtokensize?
>
>Is there a reason you would want to know that? I'm thinking that you'd
>get unpredictable results to make this worthwhile and you'll be better
>off fixing the issue in the first place. Unless this is for some sort
>of audit after the fact and you want to prove/disprove when the issue
>would occur for that sake.
>
>There's a utility (name escapes me at the moment) that lets you
>evaluate the token size on a command line. You may be able to setup
>some quick tests and see exactly what happens in this situation. I'll
>try to remember the name of the utility if somebody else doesn't chime
>in with it first.
>
>
>Al
>
>
> >From: Kitchens Arthur E
> >Reply-To: ActiveDir@xxxxxxxxxxxxxxxxxx
> >To: ActiveDir@xxxxxxxxxxxxxxxxxx
> >Subject: [ActiveDir] Token Bloat
> >Date: Mon, 14 Nov 2005 07:59:01 -0500
> >
> > Might anyone know what actually happens in this situation? Do sids
> >in the token up to maxtokensize get evalutated ( is sid order within
> >the token determined by sequence of group memberships additions , if
> >order even matter)? None of them? Something completely different from
> >either of these two scenerios? Thanks in advance.
> >
> > A. E. Kitchens
> >phone 904-301-3578
> >fax 904-301-3625
> >Atonally DO:RE:MI:FA:SO:LA:TI:DO
> >Felis demulcta mitis
> >
> >
> >"Reality is that which, when you stop believing in it, doesn't go away".
> > -- Philip K. Dick
>
>
>List info : http://www.activedir.org/List.aspx
>
>List FAQ : http://www.activedir.org/ListFAQ.aspx
>
>List archive:
>http://www.mail-archive.com/activedir%40mail.activedir.org/
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| AD000001348
Posts:0
| | 11/14/2005 6:33 AM |
| Hmmm...
Using the formula:
TokenSize = 1200 + 40d + 8s
This formula uses the following values: ? d: The number of domain local
groups a user is a member of plus the number of universal groups outside the
user's account domain plus the number of groups represented in security ID
(SID) history.
? s: The number of security global groups that a user is a member of plus
the number of universal groups in a user's account domain.
? 1200: The estimated value for ticket overhead. This value can vary
depending on factors such as DNS domain name length, client name, and other
factors.
that would look like this:
TokenSize = 1200 + 40(100) + 8(0) based on the below information.
TS = 5200
MaxTokenSize Bytes possible = 12,000
Difference = 12,000 - 5,200 = 6,800 (bytes)
Have you downloaded tokensz yet? What were the results?
-ajm
From: Kitchens Arthur E
Reply-To: ActiveDir@xxxxxxxxxxxxxxxxxx
To: "'ActiveDir@xxxxxxxxxxxxxxxxxx'"
Subject: RE: [ActiveDir] Token Bloat
Date: Mon, 14 Nov 2005 12:38:23 -0500
Dc's and functionality level are Windows Server 2003. groups are domain
global groups for the most part (and those are the points of contention as
users are accessing resources acl'ed with the old, pre-migration, groups
via
sidhistory(s)).. Not sure about sizes but from sectok etc we know there's
more than 70-100 sid's in some of these tokens, way more.
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Al Mulnick
Sent: Monday, November 14, 2005 12:30 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Token Bloat
I guess the best questoin to ask at this point is the type of groups the
user is a member of. Not all groups take the same amount of room.
Additionally, there were some changes btwn 2000 RTM and 2003 SP1 that took
place that affected the PAC behavior. It's possible you don't see more of
this because size is important vs the quantity (you'll not hear that very
often, I'll wager ;)
One additional question to ask here: what versions of DC are you running
and
at what functional level?
Al
>From: Kitchens Arthur E
>Reply-To: ActiveDir@xxxxxxxxxxxxxxxxxx
>To: "'ActiveDir@xxxxxxxxxxxxxxxxxx'"
>Subject: RE: [ActiveDir] Token Bloat
>Date: Mon, 14 Nov 2005 10:32:19 -0500
>
> >From the other response I saw from Jorge de Almeida Pinto (thanks!)
> >I'm
>thinking that maybe my confusion is stemming from what this really is ,
>a kereberos ticketing issue, not general access. Is that a correct or
>incorrect assumption? We have users that are in an inordinate number of
>groups (~213 is the grand prize winner), and sidhistories of various
>sizes are involved. We have seen this before, and addressed it by
>limited cleaning of sidhistory. But when we stumbled across these
>bloated group memberships (and bloated sidhistories), I expected the
>associated dysfunction to be wide spread. That has not been reported.
>Also, I cloned the 213 group user and didn't see any access problems
>in limited and unscientific testing with the copy. . I guess my
>question should have been "why would this not be a bigger problem?" We
>have a number of users who are in 70+ groups (and that's not even
>counting the sidhistory contents for those groups, which varies). The
>tokenz tool will be useful but I'm sure a bunch of these users are over
>the limit already. thanks
>
>-----Original Message-----
>From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
>[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> ] On Behalf Of Al Mulnick
>Sent: Monday, November 14, 2005 10:03 AM
>To: ActiveDir@xxxxxxxxxxxxxxxxxx
>Subject: RE: [ActiveDir] Token Bloat
>
>Can you be more specific? Are you asking if the order of the tokens is
>FIFO related to group additions and if so, is it evaluated up to that
>point when the token is bloated beyond the maxtokensize?
>
>Is there a reason you would want to know that? I'm thinking that you'd
>get unpredictable results to make this worthwhile and you'll be better
>off fixing the issue in the first place. Unless this is for some sort
>of audit after the fact and you want to prove/disprove when the issue
>would occur for that sake.
>
>There's a utility (name escapes me at the moment) that lets you
>evaluate the token size on a command line. You may be able to setup
>some quick tests and see exactly what happens in this situation. I'll
>try to remember the name of the utility if somebody else doesn't chime
>in with it first.
>
>
>Al
>
>
> >From: Kitchens Arthur E
> >Reply-To: ActiveDir@xxxxxxxxxxxxxxxxxx
> >To: ActiveDir@xxxxxxxxxxxxxxxxxx
> >Subject: [ActiveDir] Token Bloat
> >Date: Mon, 14 Nov 2005 07:59:01 -0500
> >
> > Might anyone know what actually happens in this situation? Do sids
> >in the token up to maxtokensize get evalutated ( is sid order within
> >the token determined by sequence of group memberships additions , if
> >order even matter)? None of them? Something completely different from
> >either of these two scenerios? Thanks in advance.
> >
> > A. E. Kitchens
> >phone 904-301-3578
> >fax 904-301-3625
> >Atonally DO:RE:MI:FA:SO:LA:TI:DO
> >Felis demulcta mitis
> >
> >
> >"Reality is that which, when you stop believing in it, doesn't go
away".
> > -- Philip K. Dick
>
>
>List info : http://www.activedir.org/List.aspx
>
>List FAQ : http://www.activedir.org/ListFAQ.aspx
>
>List archive:
>http://www.mail-archive.com/activedir%40mail.activedir.org/
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| ArthurKitchens
Posts:2
| | 11/14/2005 9:23 AM |
| From the output from tokensz (output below is from the cloned account of the 213 group user, I'm still working getting the example syntax-es to work for me like it does for the other kids). So the issue here is not token size in our enviroment, but my lack of understanding of just what makes token size. Thanks to all of you all who replied.
Name: Kerberos Comment: Microsoft Kerberos V1.0
Current PackageInfo->MaxToken: 12000
Using user to user
QueryKeyInfo:
Signature algorithm =
Encrypt algorithm = RSADSI RC4-HMAC
KeySize = 128
Flags = 2083e
Signature Algorithm = -138
Encrypt Algorithm = 23
Start:11/14/2005 9:59:39
Expiry:11/14/2005 19:59:20
Current Time: 11/14/2005 9:59:39
MaxToken (complete context) 10400
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Al Mulnick
Sent: Monday, November 14, 2005 1:31 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Token Bloat
Hmmm...
Using the formula:
TokenSize = 1200 + 40d + 8s
This formula uses the following values: * d: The number of domain local groups a user is a member of plus the number of universal groups outside the user's account domain plus the number of groups represented in security ID
(SID) history.
* s: The number of security global groups that a user is a member of plus the number of universal groups in a user's account domain.
* 1200: The estimated value for ticket overhead. This value can vary depending on factors such as DNS domain name length, client name, and other factors.
that would look like this:
TokenSize = 1200 + 40(100) + 8(0) based on the below information.
TS = 5200
MaxTokenSize Bytes possible = 12,000
Difference = 12,000 - 5,200 = 6,800 (bytes)
Have you downloaded tokensz yet? What were the results?
-ajm
>From: Kitchens Arthur E
>Reply-To: ActiveDir@xxxxxxxxxxxxxxxxxx
>To: "'ActiveDir@xxxxxxxxxxxxxxxxxx'"
>Subject: RE: [ActiveDir] Token Bloat
>Date: Mon, 14 Nov 2005 12:38:23 -0500
>
>Dc's and functionality level are Windows Server 2003. groups are domain
>global groups for the most part (and those are the points of contention
>as users are accessing resources acl'ed with the old, pre-migration,
>groups via sidhistory(s)).. Not sure about sizes but from sectok etc we
>know there's more than 70-100 sid's in some of these tokens, way more.
>
>-----Original Message-----
>From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
>[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Al Mulnick
>Sent: Monday, November 14, 2005 12:30 PM
>To: ActiveDir@xxxxxxxxxxxxxxxxxx
>Subject: RE: [ActiveDir] Token Bloat
>
>I guess the best questoin to ask at this point is the type of groups
>the user is a member of. Not all groups take the same amount of room.
>
>Additionally, there were some changes btwn 2000 RTM and 2003 SP1 that
>took place that affected the PAC behavior. It's possible you don't see
>more of this because size is important vs the quantity (you'll not hear
>that very often, I'll wager ;)
>
>One additional question to ask here: what versions of DC are you
>running and at what functional level?
>
>Al
>
>
> >From: Kitchens Arthur E
> >Reply-To: ActiveDir@xxxxxxxxxxxxxxxxxx
> >To: "'ActiveDir@xxxxxxxxxxxxxxxxxx'"
> >Subject: RE: [ActiveDir] Token Bloat
> >Date: Mon, 14 Nov 2005 10:32:19 -0500
> >
> > >From the other response I saw from Jorge de Almeida Pinto
> > >(thanks!) I'm
> >thinking that maybe my confusion is stemming from what this really is
> >, a kereberos ticketing issue, not general access. Is that a correct
> >or incorrect assumption? We have users that are in an inordinate
> >number of groups (~213 is the grand prize winner), and sidhistories
> >of various sizes are involved. We have seen this before, and
> >addressed it by limited cleaning of sidhistory. But when we stumbled
> >across these bloated group memberships (and bloated sidhistories), I
> >expected the associated dysfunction to be wide spread. That has not been reported.
> >Also, I cloned the 213 group user and didn't see any access problems
> >in limited and unscientific testing with the copy. . I guess my
> >question should have been "why would this not be a bigger problem?"
> >We have a number of users who are in 70+ groups (and that's not even
> >counting the sidhistory contents for those groups, which varies). The
> >tokenz tool will be useful but I'm sure a bunch of these users are
> >over the limit already. thanks
> >
> >-----Original Message-----
> >From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> >[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> > ] On Behalf Of Al Mulnick
> >Sent: Monday, November 14, 2005 10:03 AM
> >To: ActiveDir@xxxxxxxxxxxxxxxxxx
> >Subject: RE: [ActiveDir] Token Bloat
> >
> >Can you be more specific? Are you asking if the order of the tokens
> >is FIFO related to group additions and if so, is it evaluated up to
> >that point when the token is bloated beyond the maxtokensize?
> >
> >Is there a reason you would want to know that? I'm thinking that
> >you'd get unpredictable results to make this worthwhile and you'll be
> >better off fixing the issue in the first place. Unless this is for
> >some sort of audit after the fact and you want to prove/disprove when
> >the issue would occur for that sake.
> >
> >There's a utility (name escapes me at the moment) that lets you
> >evaluate the token size on a command line. You may be able to setup
> >some quick tests and see exactly what happens in this situation.
> >I'll try to remember the name of the utility if somebody else doesn't
> >chime in with it first.
> >
> >
> >Al
> >
> >
> > >From: Kitchens Arthur E
> > >Reply-To: ActiveDir@xxxxxxxxxxxxxxxxxx
> > >To: ActiveDir@xxxxxxxxxxxxxxxxxx
> > >Subject: [ActiveDir] Token Bloat
> > >Date: Mon, 14 Nov 2005 07:59:01 -0500
> > >
> > > Might anyone know what actually happens in this situation? Do
> > >sids in the token up to maxtokensize get evalutated ( is sid order
> > >within the token determined by sequence of group memberships
> > >additions , if order even matter)? None of them? Something
> > >completely different from either of these two scenerios? Thanks in advance.
> > >
> > > A. E. Kitchens
> > >phone 904-301-3578
> > >fax 904-301-3625
> > >Atonally DO:RE:MI:FA:SO:LA:TI:DO
> > >Felis demulcta mitis
> > >
> > >
> > >"Reality is that which, when you stop believing in it, doesn't go
>away".
> > > -- Philip K. Dick
> >
> >
> >List info : http://www.activedir.org/List.aspx
> >
> >List FAQ : http://www.activedir.org/ListFAQ.aspx
> >
> >List archive:
> >http://www.mail-archive.com/activedir%40mail.activedir.org/
> >
>
>
>List info : http://www.activedir.org/List.aspx
>List FAQ : http://www.activedir.org/ListFAQ.aspx
>List archive:
>http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| AD000001348
Posts:0
| | 11/14/2005 9:34 AM |
| You're still only about 40 groups away from trouble. I'd say that user is
precarious and that the organization that has that process in place to allow
this sort of thing should consider changing that practice. Sooner vs. later.
Complexity and Security often aren't found together.
I reread the thread to see if I missed something. If I did, it's not
obvious to me, but were there any issues currently in play or was this
pre-emptive in timing?
Al
From: Kitchens Arthur E
Reply-To: ActiveDir@xxxxxxxxxxxxxxxxxx
To: "'ActiveDir@xxxxxxxxxxxxxxxxxx'"
Subject: RE: [ActiveDir] Token Bloat
Date: Mon, 14 Nov 2005 15:04:40 -0500
>From the output from tokensz (output below is from the cloned account of
the
213 group user, I'm still working getting the example syntax-es to work for
me like it does for the other kids). So the issue here is not token size in
our enviroment, but my lack of understanding of just what makes token size.
Thanks to all of you all who replied.
Name: Kerberos Comment: Microsoft Kerberos V1.0
Current PackageInfo->MaxToken: 12000
Using user to user
QueryKeyInfo:
Signature algorithm =
Encrypt algorithm = RSADSI RC4-HMAC
KeySize = 128
Flags = 2083e
Signature Algorithm = -138
Encrypt Algorithm = 23
Start:11/14/2005 9:59:39
Expiry:11/14/2005 19:59:20
Current Time: 11/14/2005 9:59:39
MaxToken (complete context) 10400
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Al Mulnick
Sent: Monday, November 14, 2005 1:31 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Token Bloat
Hmmm...
Using the formula:
TokenSize = 1200 + 40d + 8s
This formula uses the following values: * d: The number of domain local
groups a user is a member of plus the number of universal groups outside
the
user's account domain plus the number of groups represented in security ID
(SID) history.
* s: The number of security global groups that a user is a member of plus
the number of universal groups in a user's account domain.
* 1200: The estimated value for ticket overhead. This value can vary
depending on factors such as DNS domain name length, client name, and other
factors.
that would look like this:
TokenSize = 1200 + 40(100) + 8(0) based on the below information.
TS = 5200
MaxTokenSize Bytes possible = 12,000
Difference = 12,000 - 5,200 = 6,800 (bytes)
Have you downloaded tokensz yet? What were the results?
-ajm
>From: Kitchens Arthur E
>Reply-To: ActiveDir@xxxxxxxxxxxxxxxxxx
>To: "'ActiveDir@xxxxxxxxxxxxxxxxxx'"
>Subject: RE: [ActiveDir] Token Bloat
>Date: Mon, 14 Nov 2005 12:38:23 -0500
>
>Dc's and functionality level are Windows Server 2003. groups are domain
>global groups for the most part (and those are the points of contention
>as users are accessing resources acl'ed with the old, pre-migration,
>groups via sidhistory(s)).. Not sure about sizes but from sectok etc we
>know there's more than 70-100 sid's in some of these tokens, way more.
>
>-----Original Message-----
>From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
>[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Al Mulnick
>Sent: Monday, November 14, 2005 12:30 PM
>To: ActiveDir@xxxxxxxxxxxxxxxxxx
>Subject: RE: [ActiveDir] Token Bloat
>
>I guess the best questoin to ask at this point is the type of groups
>the user is a member of. Not all groups take the same amount of room.
>
>Additionally, there were some changes btwn 2000 RTM and 2003 SP1 that
>took place that affected the PAC behavior. It's possible you don't see
>more of this because size is important vs the quantity (you'll not hear
>that very often, I'll wager ;)
>
>One additional question to ask here: what versions of DC are you
>running and at what functional level?
>
>Al
>
>
> >From: Kitchens Arthur E
> >Reply-To: ActiveDir@xxxxxxxxxxxxxxxxxx
> >To: "'ActiveDir@xxxxxxxxxxxxxxxxxx'"
> >Subject: RE: [ActiveDir] Token Bloat
> >Date: Mon, 14 Nov 2005 10:32:19 -0500
> >
> > >From the other response I saw from Jorge de Almeida Pinto
> > >(thanks!) I'm
> >thinking that maybe my confusion is stemming from what this really is
> >, a kereberos ticketing issue, not general access. Is that a correct
> >or incorrect assumption? We have users that are in an inordinate
> >number of groups (~213 is the grand prize winner), and sidhistories
> >of various sizes are involved. We have seen this before, and
> >addressed it by limited cleaning of sidhistory. But when we stumbled
> >across these bloated group memberships (and bloated sidhistories), I
> >expected the associated dysfunction to be wide spread. That has not
been
reported.
> >Also, I cloned the 213 group user and didn't see any access problems
> >in limited and unscientific testing with the copy. . I guess my
> >question should have been "why would this not be a bigger problem?"
> >We have a number of users who are in 70+ groups (and that's not even
> >counting the sidhistory contents for those groups, which varies). The
> >tokenz tool will be useful but I'm sure a bunch of these users are
> >over the limit already. thanks
> >
> >-----Original Message-----
> >From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> >[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> > ] On Behalf Of Al Mulnick
> >Sent: Monday, November 14, 2005 10:03 AM
> >To: ActiveDir@xxxxxxxxxxxxxxxxxx
> >Subject: RE: [ActiveDir] Token Bloat
> >
> >Can you be more specific? Are you asking if the order of the tokens
> >is FIFO related to group additions and if so, is it evaluated up to
> >that point when the token is bloated beyond the maxtokensize?
> >
> >Is there a reason you would want to know that? I'm thinking that
> >you'd get unpredictable results to make this worthwhile and you'll be
> >better off fixing the issue in the first place. Unless this is for
> >some sort of audit after the fact and you want to prove/disprove when
> >the issue would occur for that sake.
> >
> >There's a utility (name escapes me at the moment) that lets you
> >evaluate the token size on a command line. You may be able to setup
> >some quick tests and see exactly what happens in this situation.
> >I'll try to remember the name of the utility if somebody else doesn't
> >chime in with it first.
> >
> >
> >Al
> >
> >
> > >From: Kitchens Arthur E
> > >Reply-To: ActiveDir@xxxxxxxxxxxxxxxxxx
> > >To: ActiveDir@xxxxxxxxxxxxxxxxxx
> > >Subject: [ActiveDir] Token Bloat
> > >Date: Mon, 14 Nov 2005 07:59:01 -0500
> > >
> > > Might anyone know what actually happens in this situation? Do
> > >sids in the token up to maxtokensize get evalutated ( is sid order
> > >within the token determined by sequence of group memberships
> > >additions , if order even matter)? None of them? Something
> > >completely different from either of these two scenerios? Thanks in
advance.
> > >
> > > A. E. Kitchens
> > >phone 904-301-3578
> > >fax 904-301-3625
> > >Atonally DO:RE:MI:FA:SO:LA:TI:DO
> > >Felis demulcta mitis
> > >
> > >
> > >"Reality is that which, when you stop believing in it, doesn't go
>away".
> > > -- Philip K. Dick
> >
> >
> >List info : http://www.activedir.org/List.aspx
> >
> >List FAQ : http://www.activedir.org/ListFAQ.aspx
> >
> >List archive:
> >http://www.mail-archive.com/activedir%40mail.activedir.org/
> >
>
>
>List info : http://www.activedir.org/List.aspx
>List FAQ : http://www.activedir.org/ListFAQ.aspx
>List archive:
>http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| ArthurKitchens
Posts:2
| | 11/15/2005 11:54 AM |
| It was me being chicken little. We have had issues with some groups with seemingly excessive sidhistory sizes that seemed to be token bloat, as granted access failed and cleaning sidhistory cleared it up. Now that I am aware of the depth of my misunderstanding of the details of the issue I'm not sure if the two were related or that was just coincidence and superstition on my part as to the cause. I noticed that an awful lot of groups had unexpected sidhistory sizes, and having stumbled onto that I checked group membership and, again, was surprised by the numbers I found. The issue that brought this to my attention turned out to be only a user not in a required group (for the user environment to be built and functional). As embarassing as this turned out to be, it's been even more educational. And I have been promised a chicken little t-shirt.
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Al Mulnick
Sent: Monday, November 14, 2005 4:33 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Token Bloat
You're still only about 40 groups away from trouble. I'd say that user is precarious and that the organization that has that process in place to allow this sort of thing should consider changing that practice. Sooner vs. later.
Complexity and Security often aren't found together.
I reread the thread to see if I missed something. If I did, it's not obvious to me, but were there any issues currently in play or was this pre-emptive in timing?
Al
>From: Kitchens Arthur E
>Reply-To: ActiveDir@xxxxxxxxxxxxxxxxxx
>To: "'ActiveDir@xxxxxxxxxxxxxxxxxx'"
>Subject: RE: [ActiveDir] Token Bloat
>Date: Mon, 14 Nov 2005 15:04:40 -0500
>
> >From the output from tokensz (output below is from the cloned account
> >of
>the
>213 group user, I'm still working getting the example syntax-es to work
>for me like it does for the other kids). So the issue here is not token
>size in our enviroment, but my lack of understanding of just what makes token size.
>Thanks to all of you all who replied.
>
>Name: Kerberos Comment: Microsoft Kerberos V1.0 Current
>PackageInfo->MaxToken: 12000
>
>Using user to user
>QueryKeyInfo:
>Signature algorithm =
>Encrypt algorithm = RSADSI RC4-HMAC
>KeySize = 128
>Flags = 2083e
>Signature Algorithm = -138
>Encrypt Algorithm = 23
> Start:11/14/2005 9:59:39
> Expiry:11/14/2005 19:59:20
>Current Time: 11/14/2005 9:59:39
>MaxToken (complete context) 10400
>
>
>-----Original Message-----
>From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
>[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Al Mulnick
>Sent: Monday, November 14, 2005 1:31 PM
>To: ActiveDir@xxxxxxxxxxxxxxxxxx
>Subject: RE: [ActiveDir] Token Bloat
>
>Hmmm...
>
>Using the formula:
>TokenSize = 1200 + 40d + 8s
>
>This formula uses the following values: * d: The number of domain local
>groups a user is a member of plus the number of universal groups
>outside the user's account domain plus the number of groups represented
>in security ID
>(SID) history.
>* s: The number of security global groups that a user is a member of
>plus the number of universal groups in a user's account domain.
>* 1200: The estimated value for ticket overhead. This value can vary
>depending on factors such as DNS domain name length, client name, and
>other factors.
>
>that would look like this:
>
>TokenSize = 1200 + 40(100) + 8(0) based on the below information.
>
>TS = 5200
>
>MaxTokenSize Bytes possible = 12,000
>
>Difference = 12,000 - 5,200 = 6,800 (bytes)
>
>
>
>
>Have you downloaded tokensz yet? What were the results?
>
>-ajm
>
>
>
> >From: Kitchens Arthur E
> >Reply-To: ActiveDir@xxxxxxxxxxxxxxxxxx
> >To: "'ActiveDir@xxxxxxxxxxxxxxxxxx'"
> >Subject: RE: [ActiveDir] Token Bloat
> >Date: Mon, 14 Nov 2005 12:38:23 -0500
> >
> >Dc's and functionality level are Windows Server 2003. groups are
> >domain global groups for the most part (and those are the points of
> >contention as users are accessing resources acl'ed with the old,
> >pre-migration, groups via sidhistory(s)).. Not sure about sizes but
> >from sectok etc we know there's more than 70-100 sid's in some of these tokens, way more.
> >
> >-----Original Message-----
> >From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> >[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Al Mulnick
> >Sent: Monday, November 14, 2005 12:30 PM
> >To: ActiveDir@xxxxxxxxxxxxxxxxxx
> >Subject: RE: [ActiveDir] Token Bloat
> >
> >I guess the best questoin to ask at this point is the type of groups
> >the user is a member of. Not all groups take the same amount of room.
> >
> >Additionally, there were some changes btwn 2000 RTM and 2003 SP1 that
> >took place that affected the PAC behavior. It's possible you don't
> >see more of this because size is important vs the quantity (you'll
> >not hear that very often, I'll wager ;)
> >
> >One additional question to ask here: what versions of DC are you
> >running and at what functional level?
> >
> >Al
> >
> >
> > >From: Kitchens Arthur E
> > >Reply-To: ActiveDir@xxxxxxxxxxxxxxxxxx
> > >To: "'ActiveDir@xxxxxxxxxxxxxxxxxx'"
> > >Subject: RE: [ActiveDir] Token Bloat
> > >Date: Mon, 14 Nov 2005 10:32:19 -0500
> > >
> > > >From the other response I saw from Jorge de Almeida Pinto
> > > >(thanks!) I'm
> > >thinking that maybe my confusion is stemming from what this really
> > >is , a kereberos ticketing issue, not general access. Is that a
> > >correct or incorrect assumption? We have users that are in an
> > >inordinate number of groups (~213 is the grand prize winner), and
> > >sidhistories of various sizes are involved. We have seen this
> > >before, and addressed it by limited cleaning of sidhistory. But
> > >when we stumbled across these bloated group memberships (and
> > >bloated sidhistories), I expected the associated dysfunction to be
> > >wide spread. That has not
>been
>reported.
> > >Also, I cloned the 213 group user and didn't see any access
> > >problems in limited and unscientific testing with the copy. . I
> > >guess my question should have been "why would this not be a bigger problem?"
> > >We have a number of users who are in 70+ groups (and that's not
> > >even counting the sidhistory contents for those groups, which
> > >varies). The tokenz tool will be useful but I'm sure a bunch of
> > >these users are over the limit already. thanks
> > >
> > >-----Original Message-----
> > >From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> > >[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> > > ] On Behalf Of Al
> > >Mulnick
> > >Sent: Monday, November 14, 2005 10:03 AM
> > >To: ActiveDir@xxxxxxxxxxxxxxxxxx
> > >Subject: RE: [ActiveDir] Token Bloat
> > >
> > >Can you be more specific? Are you asking if the order of the
> > >tokens is FIFO related to group additions and if so, is it
> > >evaluated up to that point when the token is bloated beyond the maxtokensize?
> > >
> > >Is there a reason you would want to know that? I'm thinking that
> > >you'd get unpredictable results to make this worthwhile and you'll
> > >be better off fixing the issue in the first place. Unless this is
> > >for some sort of audit after the fact and you want to
> > >prove/disprove when the issue would occur for that sake.
> > >
> > >There's a utility (name escapes me at the moment) that lets you
> > >evaluate the token size on a command line. You may be able to
> > >setup some quick tests and see exactly what happens in this situation.
> > >I'll try to remember the name of the utility if somebody else
> > >doesn't chime in with it first.
> > >
> > >
> > >Al
> > >
> > >
> > > >From: Kitchens Arthur E
> > > >Reply-To: ActiveDir@xxxxxxxxxxxxxxxxxx
> > > >To: ActiveDir@xxxxxxxxxxxxxxxxxx
> > > >Subject: [ActiveDir] Token Bloat
> > > >Date: Mon, 14 Nov 2005 07:59:01 -0500
> > > >
> > > > Might anyone know what actually happens in this situation? Do
> > > >sids in the token up to maxtokensize get evalutated ( is sid
> > > >order within the token determined by sequence of group
> > > >memberships additions , if order even matter)? None of them?
> > > >Something completely different from either of these two
> > > >scenerios? Thanks in
>advance.
> > > >
> > > > A. E. Kitchens
> > > >phone 904-301-3578
> > > >fax 904-301-3625
> > > >Atonally DO:RE:MI:FA:SO:LA:TI:DO
> > > >Felis demulcta mitis
> > > >
> > > >
> > > >"Reality is that which, when you stop believing in it, doesn't go
> >away".
> > > > -- Philip K. Dick
> > >
> > >
> > >List info : http://www.activedir.org/List.aspx
> > >
> > >List FAQ : http://www.activedir.org/ListFAQ.aspx
> > >
> > >List archive:
> > >http://www.mail-archive.com/activedir%40mail.activedir.org/
> > >
> >
> >
> >List info : http://www.activedir.org/List.aspx
> >List FAQ : http://www.activedir.org/ListFAQ.aspx
> >List archive:
> >http://www.mail-archive.com/activedir%40mail.activedir.org/
>
>
>List info : http://www.activedir.org/List.aspx
>List FAQ : http://www.activedir.org/ListFAQ.aspx
>List archive:
>http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
|
|