Problem with too “fat” security token in Windows 2000\2003 AD infrasructure is known from long time. In basic words – security token is access token generated for each user during the logon process. In the process of building this token all SIDs for security groups user belongs too are added to this token. But hey … there is a limit, there can be only 1024 (cute, round number) of this SIDs in one token. If the number of SIDs in one token exceeds 1024 user can’t log on – that is basic explanation.
If You want to get some deeper knowledge of this problem You should go to Microsoft Downloads page and download new document about access token limitations. From this document You will know how to identify such problem, diagnose and solve it.
Together with this document You will find a patch described in KB 906208 article, with new functionality for ntdsutil.exe tool (You know this tool, don’t You) – Group Membership Evaluation.
Group Membership Evaluation feature of ntdsutil lets You create report of user’s group membership which helps You identify list of groups in which this particular security principal is a member.
This is definitely worth reading document for AD admins.