From the earliest days of Windows NT, even before Active Directory was on the scene, every process has an associated security token.  To see the information contained in the token, if you are using the windbg debugger, you can use the !token meta-command, and that will give you such things as the list of security group with which the account is associated.  If you are running Windows 2008 Server, though (or have installed the appropriate tools), you can see this information by using the whoami /all command at the command line.   

The token bloat problem is an old one.  I've heard about them going back into the last century.  If you have a fixed-sized buffer in which to pass a token, and the token has more groups than will fit in that fixed-sized buffer, it is a bloated token.  Things will then fail if the API that the token is being passed to needs part of the token that isn't in the buffer.

So, how do tokens become bloated?  By the addition of new security groups.  There are companies that have nearly a hundred security groups associated with a single user.  That seems excessive, but if you have been running Windows since 1994, and you add a new security groups a month, every month, that is over 150 groups! 

One possible solution is to change the size of the buffers (an excellent discussion of that solution is here:  http://support.microsoft.com/kb/263693).  In that case, though, you will be changing the buffer size not just on client machines,but on the domain controllers and the servers as well.  In an organization that has been using Windows since the mid-1990's, this can mean rebooting fifty thousand computers.  No one wants to do that.

The solution that makes more sense in practice is to take a hard look at that list of things added to that token over the years.  You probably don't need your membership in the Y2K Remediation Group anymore, for example.  The Enron Account managers group would also probably not be that useful.

Every choice of a buffer size is a engineering tradeoff, just as 2 digit dates were a reasonable choice when we talked about dollars per byte rather than dollars per megabyte or gigabyte for memory costs.  The default is a reasonably good one in a well-maintained Active Directory Security Infrastructure.

 Ever had this kind of issue?  How did you figure it out?  Comment and let me know.