I am able to connect to the domain controller using the Active Directory Users and Computers mmc while logged in to a Windows XP or Windows Server 2003 computer, but get an Access Denied error when trying to connect to the same server while on any Windows 7.
The 2 other IT workers have the same issue. Each of us have no problem while on XP, just Windows 7, regardless of which Windows 7 computer it is (as we have tried multiple machines).
Best Answer
We discovered the problem was that our accounts belonged to too many Active Directory groups and the Kerberos token size. A registry key needed to be created to increase the Kerberos fixed token size limit from 12000 to 65535.
This Technet forum post discusses the problem and this Microsoft KB article details the fix.
Registry fix required:
Start Registry Editor (Regedt32.exe)
Locate and click the following key in the registry System\CurrentControlSet\Control\Lsa\Kerberos\Parameters
If this key is not present, create the key. To do so:
a. Click the following key in the registry:
System\CurrentControlSet\Control\Lsa\Kerberos
b. On the Edit menu, click Add Key
c. Create a Parameters key
d. Click the new Parameters key
On the Edit menu, click Add Value, and then add the following registry value Value name: MaxTokenSize
Data type: REG_DWORD
Radix: Decimal
Value data: 65535
Quit Registry Editor