A user’s security access token can not contain more than 1000 security identifiers (SIDs). If this limit is exceeded a user may receive the following error message when they attempt to logon to a domain or access a network share:

During a logon attempt, the user’s security context accumulated too many security IDs.

You may think it is not possible for a user to be a member of 1000 different groups. However, a user’s group membership number is not simply incremented by 1 each time the account is added to a group.

For example, if a user account is added to a global group, and that global group has been added to six different domain local groups, the SID count is actually increased by six. As opposed to just being incremented by one as many people would probably assume.

Group membership between domains is also incremented. So if a user from one domain connects to a server that is in another domain, the SID count is determined by adding the group membership from the second domain to the global group membership in the user’s own domain.

1000 SIDs may seem like a number that could never possibly be reached. However, considering the points above, it is quite possible, especially in large environments with multiple domains and many groups.