Paramount Defenses Company | Leadership | Products | Solutions | Partners | Privileged Access Insight | Support | News | Careers | Blog | Contact 100%
Gold Finger
for Active Directory  
Gold Finger
| Security
Audit Tool
| Membership
Reporting Tool
| Token-Size
| ACL Viewer
& Exporter
| Permissions
| Effective Permissions 
& Access Calculator
| Administrative Access 
& Delegation Audit Tool
| Gold Finger
| Golden

Kerberos Token Size Calculator

A fully automated Kerberos Token-Size Calculator.

How can Active Directory Admins and Auditors -

  1. Accurately Estimate Token-sizes Domain-wide
  2. Identify All Accounts at Risk of Token-bloat
  3. Reduce Risk of Kerberos Authentication Failures Resulting From Token-bloat

    Answer:  Calculate Kerberos Token-sizes
Token-size report

Our Kerberos Token-Size Calculator empowers organizations to easily and automatically
calculate the Kerberos token size of multiple Active Directory domain user accounts.

Kerberos Token-Size Calculator

Gold Finger Kerberos Token Size Calculator

Sample Output Sample Output

"We are very pleased to see Paramount Defenses, a valued Microsoft partner, offer an innovative security solution (in Gold Finger) that helps enhance security and compliance in Active Directory environments."

– Charles Coats, Senior Product Manager,
Identity and Security Business Group


Many organizations need to be able to automate the calculation of the Kerberos token size of multiple domain user accounts in their Active Directory. This need predominantly arises in situations wherein domain user accounts may be members of a large number of groups and potentially be at risk of being denied logon if the number of groups to which they belong continue to increase.

Kerberos Token Size Calculation

Our Gold Finger Kerberos Token-Size Calculator was designed to empower organizations fulfill this exact need.

It can instantly, accurately and trustworthily audit

  • The Kerberos token-sizes of all user accounts in an Active Directory domain
  • The Kerberos token-sizes of all user accounts in an Active Directory organizational unit
  • The Kerberos token-sizes of all user accounts in a specific location, division or other parameters
  • The complete list of all security identifiers (SIDs) in a specific domain user account's Windows access token
  • The d and s values for all domain user accounts per Microsoft's recommended formula: Token Size = 1200 + 40d + 8s

In fact, only Gold Finger is designed by former Microsoft Program Manager for Active Directory Security, endorsed by Microsoft
and trusted by the world's top organizations. It is the world's most capable, valuable and trustworthy Active Directory Audit Tool.

Technical Features

Gold Finger embodies innovative features designed to help organizations effortlessly perform Kerberos Token-Size Audits –

  1. Fully-automated multiple-account Kerberos Token Size Calculation – Instantly calculate token sizes of multiple domain accounts.
  2. Calculation based on Microsoft Recommendations – Calculations based on Microsoft's formula: Token Size = 1200 + 40d + 8s.
  3. Kerberos Token Size Exports – Instantly generate and export the Kerberos token sizes of any, some or all accounts in a domain.
  4. Domain-specific Token Size Analysis – Calculate domain-specific access token sizes, since tokens are always domain specific.
  5. Access Token Contents Analysis – Obtain the list of all security identifiers (SIDs) in any domain account's access token.
  6. Domain-Specific & Machine-Type Token Analysis – View the contents of access tokens generated on DCs as well as non-DCs.
  7. Scope and Depth Control – Limit the depth of coverage up to 10 levels from the root of the specified target (OU or domain.)
  8. Custom Filters and Filter Library – Apply custom LDAP filters to target specific accounts, as well as create an LDAP filter library.
  9. Professional Grade PDF Reports – Easily generate ready-to-furnish Kerberos Token-size reports in PDF format.
  10. DC Specific Analysis and Alternate Credential Use – Target any specific Domain Controller and use alternate credentials.
Real-World Examples

The following are some real-world examples that illustrate the capabilities of our Gold Finger Kerberos Token-Size Calculator –

  1. Calculate the Kerberos token sizes of all domain user accounts in the Corp domain.
  2. Calculate the Kerberos token sizes of all administrative and executive domain user accounts in the Corp domain.
  3. Identify all domain accounts in the HQ OU that might be at a risk of being denied a logon due to Kerberos token bloat.
  4. See what security groups show up in the access token of John Doe's account when he logs on to a machine in the Corp domain.
  5. Find out if the specific security group Executive Committee Members is showing up in the CEO's user account's access token.
  6. Identify all administrative accounts that might be at a risk of being denied a logon due to Kerberos token bloat issue.
  7. Identify all computer accounts in the Servers OU that might be at a risk of being denied a logon due to Kerberos token bloat.
  8. Find out if the Builtin Admins security group shows up in the access token of a temporary administrator's alternate user account.
  9. Find out whether Anonymous includes Everyone by being able to view the contents of any domain user account's access token.
  10. Generate a professional-grade audit report in PDF format that documents the token-sizes of all user accounts in the Corp domain.
Benefits and Solutions

Our Gold Finger Kerberos Token-Size Calculator delivers the following valuable and measurable benefits –

  1. Instantly compute the Kerberos token-sizes of any, some or all domain user accounts in any domain, container or OU
  2. Instantly identify all domain user accounts that might exposed to the risk of a Token-bloat issue based denial-of-service.
  3. Obtain a list of all domain accounts whose membership count currently exceeds a certain threshold (e.g. 300 security groups).
  4. Instantly view the complete list of all Security Identifiers that show up in another user's token (i.e. whoami for another user account.)
  5. Troubleshoot access issues by being able to verify whether the issue is being caused due to a group not showing up in a user's token.
  6. Easily enumerate/identify/audit all groups (global groups, universal groups, domain local groups and builtin groups) to which a user belongs.

In addition, Gold Finger also helps organizations implement 5 essential cyber security solutions for –

1. Active Directory Security 3. Attack Surface Reduction 5. Audit and Compliance
2. Privileged Access Audit 4. Insider Threat Protection

As such, only Gold Finger's unique capabilities empower organizations worldwide to fulfill all their Active Directory audit
(i.e. security, membership, permissions, effective permissions/access and effective privileged access audit) needs.

Gold Finger is the Gold Standard for Active Directory Audit Tools in capability, value and trustworthiness.


The following short video demonstrates Gold Finger's unique domain-wide Active Directory Kerberos token-size calculation capabilities in action –

For optimal viewing, you may want to use the Settings icon above to set the Quality to 720p HD. You can also click the Full Screen icon to view the video in full screen.

Requirements, Licensing and Pricing

The tool can be instantly downloaded, installed and run on any Windows computer in under 2 minutes. Its use does not require any admin privileges or any changes to Active Directory. See FAQ.

The tool can be licensed on a short-term (weekly, monthly, quarterly) as well as a long-term (annual) basis. Short-term licenses are ideal for independent consultants and small projects and long-term licenses are ideal for long-term organizational use. A 1-week, 1-user license for use in 1 domain starts at just US $299 and can be instantly purchased by clicking the Buy Now button below.

"We use the Gold Finger from Paramount Defenses to fulfill our Active Directory Audit needs. It saves us a lot of time and effort and we would recommend it to anyone who needs to perform Active Directory audits trustworthily and cost-effectively. Great product, great support."

– Sean Seeliger, Architect

Group Membership Reporting Tool Group Membership Reporting Tool
ACL Viewer and Exporter ACL Viewer and Exporter

Our Global Customers - Cyber Security Thought Leaders
Who We Are What We Do How We Protect You