Overview#

When a user tries to log on to a computer by using a local computer account or a domain user account, the logon request may fail with the following error message:
Logon Message: The system cannot log you on due to the following error: During a logon attempt, the user’s security context accumulated too many security IDs. Please try again or consult your system administrator.

Cause#

This problem occurs when a user (with an administrative user account or a non-administrative user account) who is a member of more than 1,015 security groups tries to log on.

When a user logs on to a computer, the local Security Authority (LSA) generates an access token for the user to represent the security context of the user. The access token contains the user’s unique security identifier (SID) and the SIDs of every group that the user is a member of, including transitive groups.

Note The only exception to this behavior is that not all domain local security groups that the user is a member of will show up in the user’s token. The only domain local security groups that will show up (in the user’s token) are those groups that the user is a member of that also reside in the domain that contains the computer account that the user is logging on to. For an example that illustrates this process, see the "More Information" section.

Because of a system limitation, the field that contains the SIDs of the user’s group memberships in the access token can contain a maximum of 1,024 SIDs. If a user is a member of more than 1,024 security groups, the LSA cannot create an access token for the user during the logon attempt. Therefore, the user will not be able to log on. During access token generation, depending on the type of logon being performed, the LSA also inserts up to 9 well-known SIDs in addition to the SIDs for the user’s group memberships (evaluated transitively).

Because of the addition of well-known SIDS by the LSA, if a user is a member of more than 1,015 (that is, 1,024 minus 9) security groups, the total will be more than the 1,024 SID limit. Therefore, the LSA will not be able to create an access token for the user during the logon attempt. (This 1,015 number includes local group memberships of the computer that the user is trying to log on to.) Because the user cannot be authenticated, they cannot log on.

More Information#

There might be more information for this subject on one of the following:
[#1] - http://support.microsoft.com/kb/328889 - retrieved 2012-11-11

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-3) was last changed on 12-Jun-2016 12:44 by jim