Error Message: During a Logon Attempt, the User's Security Context Accumulated Too Many Security IDs (275266)


The information in this article applies to:

  • Microsoft Windows Server 2003, Datacenter Edition
  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows XP Professional
  • Microsoft Windows 2000 Professional
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Datacenter Server
  • Microsoft Windows NT Server 4.0 Terminal Server Edition
  • Microsoft Windows NT Server 4.0
  • Microsoft Windows NT Server, Enterprise Edition 4.0
This article was previously published under Q275266

SYMPTOMS

When you try to log on to a domain or connect to a network share on a server, you may receive the following error code 1384 error message:
During a logon attempt, the user's security context accumulated too many security IDs.

CAUSE

This behavior occurs because the versions of Windows that are listed at the beginning of this article contain a limit that prevents a user's security access token from containing more than 1000 security identifiers (SIDs). This means that when a user is being validated for access rights to establish a new session with a server, that user must not be a member of more than 1000 groups in that server's domain. If this limit is exceeded, access to the server is denied, and the error code 1384 is returned to the user.

If the server that the user connects to is in a second domain (for example, if the user connects to a server in a Windows 2000 resource domain), the total number of groups the user is a member of is determined by adding the user's group membership in that second domain to the user's global group membership in their domain.

STATUS

This is expected behavior for the products that are listed at the beginning of this article.This behavior is by design.

MORE INFORMATION

If a group from the user's domain is included in multiple groups in the second domain, the user's total group membership is not just incremented by one for their inclusion in this group. Instead, it is additionally incremented by the number of groups in the second domain that this group is a member of.

For example, if you add a user to a global group in their domain, and add this global group to four local groups in a second domain, the user's total group membership (and SID count) in that second domain is increased by five, instead of just being increased by one as you may expect.
Modification Type:MinorLast Reviewed:7/14/2004
Keywords:kberrmsg kbnetwork kbprb KB275266 kbAudEndUser kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.