SCRIPT UPDATED 22nd September 2017
This PowerShell script will enumerate all user accounts in a Domain, calculate their estimated Token Size and create a report of the top x users in CSV format.
However, before I talk about the script it’s important to provide some background information on Kerberos token size; how to calculate it; and how to manage it.
The Kerberos token size grows depending on the following facts:
- Amount of direct and indirect (nested) group memberships.
- Distribution groups are not included in the token, but all security groups are included.
- All group scopes are included in the token evaluation.
- Whether or not the user has a SID history, and if so, the number of entries.
- Authentication method (username/password or multi-factor like Smart Cards).
- The user is enabled for Kerberos delegation.
- Local user rights assigned to the user.
If it grows beyond the default maximum allowed size…