Submitting forms on the support site are temporary unavailable for schedule maintenance. If you need immediate assistance please contact technical support. We apologize for the inconvenience.
Remove the user from some global or local groups to reduce the number of security IDs to incorporate into the security context.
설명
After cutover / moving a computer to the new domain, user was not able to logon into the domain with the error: "During a logon attempt, the user's security context accumulated too many security IDs."
A Warning for LSA(LsaSrv) can be observed in the computer's System Event Viewer logs: During a logon attempt, the user's security context accumulated too many security IDs. This is a very unusual situation. Remove the user from some global or local groups to reduce the number of security IDs to incorporate into the security context. User's SID is S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-xxxx If this is the Administrator account, logging on in safe mode will enable Administrator to log on by automatically restricting group memberships.
Log Name: System Source: LSA (LsaSrv)
원인
This is not a product issue, but a Windows limitation on the number of SIDs for a user. This is by design from Windows.
해결 방안
Below are some references which are useful to resolve or workaround the issue: 1. https://learn.microsoft.com/en-us/troubleshoot/windows-server/user-profiles-and-logon/security-content-accumated-many-security-ids - This behavior occurs because Windows systems contain a limit that prevents a user's security access token from containing more than 1,000 security identifiers (SIDs). - Microsoft has confirmed that this is a problem. This behavior is by design.
2. https://learn.microsoft.com/en-US/troubleshoot/windows-server/windows-security/logging-on-user-account-fails - When a user logs on to a computer, the Local Security Authority (LSA, a part of the Local Security Authority Subsystem) generates an access token. The token represents the user's security context. The access token consists of unique security identifiers (SID) for every group that the user is a member of. These SIDs include transitive groups and SID values from SIDHistory of the user and the group accounts. - The array that contains the SIDs of the user's group memberships in the access token can contain no more than 1,024 SIDs. The LSA cannot drop any SID from the token. So, if there are more SIDs, the LSA fails to create the access token and the user will be unable to log on.
