I had a user whom did not get any user policies assigned. The environment is a Windows XP (SP1 and SP2) clients, Windows 2003 AD (windows 2003 mode). I tried logging on with this user on different computers with no luck. Checked the eventlog and noticed some errors.
The first one was in the System eventlog :
Event ID : 6
Source : Kerberos
The kerberos SSPI package generated an output token of size 37C8 bytes, which was too large to fit in the 37B7 buffer buffer provided by process id 0. If the condition persists, please contact your system administrator.
Data: .
Another event was found in the Application eventlog :
Event ID : 1053
Source : UserEnv
Windows cannot determine the user or computer name. (). Group Policy processing aborted.
Solution
I tried using GPRESULT.EXE and found that only the local machine policy was applied and no domain policies. But I also noticed the long list of groups the user was a member of. After 2 minutes of searching I found the KB article which had the correct solution. The problem is that the user is not able to authenticate, because the Kerberos token that is generated during authentication attempts has a fixed maximum size. Transports such as remote procedure call (RPC) and HTTP rely on the MaxTokenSize value when they allocate buffers for authentication. In Windows 2000 (the original released version), the MaxTokenSize value is 8,000 bytes. In Windows 2000 Service Pack 2 (SP2) and Microsoft Windows Server 2003, the MaxTokenSize value is 12,000 bytes. This is enough for a user who is a member of 120 groups or less. Like in my case the user had more groups, so I resolved the issue by setting a higher value for the MaxTokenSize.
Check the following key in the registry:
HKLM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
(if it doesn’t exist create the key)
Create a new value :
Value name: MaxTokenSize
Data type: REG_DWORD
Value data: 65535 (Decimal)
For more information : http://support.microsoft.com/?kbid=327825
New resolution for problems that occur when users belong to many groups
