Token Bloat is one of the major problems faced by IT administrators, which occurs when a single user is a member of too many groups in Active Directory. In a large organization there is an ocean of Active Directory resource like users, groups, computers etc. Each user is required to play a unique role in the organization, so it's the IT administrators' responsibility to assign sufficient permissions to the user to access the services and applications necessary to perform his/her task. At the same time IT administrators are required to maintain the security standards of their organization. As a result their job becomes more complex and granular in providing and denying specific permissions to each user. Moreover it is unavoidable to add a user as a member to multiple security groups to assign permissions. This results in stuffing of security groups or SID History items into a user token, which in turn increases the Kerberos Token Size above the default size of 20000 bytes.
The screenshot given below is generated during logon of a user (member of 1200 groups) in the test lab,
Your last visit:x