Chapter 8. Using PowerShell to reduce Active Directory token bloat
As a Microsoft Premier Field Engineer I work with companies of all sizes to get their Active Directory environment healthy. One of the most common issues I find is called token bloat. When users become members of too many groups, their access token grows so large that it no longer fits inside some of the default OS settings. Users can experience issues logging in, applying group policies, and authenticating to web servers.
Token size issues are usually due to a combination of three scenarios:
- Leftover security identifier (SID) history from Active Directory migrations
- Heavy group nesting
- Stale group memberships
This chapter will address the SID history scenario, because in my field experience it seems to be the most common. Many scripts are available online to help with group cleanup, but little has been published on automating SID history removal.
The scripts provided in this chapter will do the following:
- Document the extent of SID history in the environment
- Create a SID mapping file for use with the Active Directory Migration Tool (ADMT)
Armed with these two key pieces of information you can move forward with SID history remediation. Once remediation is complete end-user support should notice a decline in the aforementioned troubleshooting mysteries associated with token bloat.
Here are the key facts about SIDs and how they’re used: