ALLOWABILITY NOTICE
The following claims are pending in this office action: 1-2, 5-6, and 9-16
The following claims are amended: 1-2, 5-6, and 9-16
The following claims are new: -
The following claims are cancelled: 3-4 and 7-8
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in an interview with attorney of record Doug Gallagher on March 11, 2022.
1.	(Currently Amended) A system for preventing an excess user authentication token utilization condition in an enterprise computer environment, the system comprising a non-transitory medium that stores operatable instructions, the operations comprising:
an excess user authentication token utilization condition predictor operable for calculating a first number of additional group memberships of each enterprise user that, upon creation, will result in an excess user authentication token utilization condition;
a group membership estimator operable, for each said enterprise user, for estimating, prior to execution of an anticipated activity that impacts group memberships, a second number of additional group memberships of said enterprise user that will be created by said execution of said anticipated activity; and
that said execution of said anticipated activity results in said excess user authentication token utilization condition, and, upon ascertaining that said execution of said anticipated activity will result in said excess user authentication token utilization condition, for modifying said anticipated activity, prior to said execution of said anticipated activity, so as to ensure that said execution of said modified activity will not result in said excess user authentication token utilization condition,
said anticipated excess user authentication token utilization condition preventer also comprising an alert provider operable in response to said ascertaining that said execution of said anticipated activity will result in said excess user authentication token utilization condition for providing an imminent excess user authentication token utilization alert with respect to each of said enterprise users prior to said execution of said anticipated activity which will result in said excess user authentication token utilization condition.

2.	(Currently Amended) An excess user authentication token utilization condition predictor comprising a non-transitory medium that stores operatable instructions, the operations comprising:
a user authentication token size calculator operable for calculating a current user authentication token size for each enterprise user in an enterprise computer environment;
an available user authentication token size calculator operable for calculating a currently available user authentication token size for each of said enterprise users based on said current user authentication token size;
an average group identifier size calculator operable for calculating an average group identifier size for multiple user groups in said enterprise computer environment; and
an excess user authentication token utilization condition calculator operable, based on said available user authentication token size and said average group identifier size, for calculating a first number of additional group memberships of each of said enterprise users that, upon creation, will result in an excess user authentication token utilization condition, 
a potential excess condition notification provider operable for providing a notification output when one of said enterprise users requests an activity that will create a second number of additional group memberships that exceed said first number of additional group memberships;
said second number of additional group memberships exceed said first number of additional group memberships; and
a remediation process initiator operable for initiating a remediation process for said one of said enterprise users, in response to said alert, prior to said executing said activity that will create said second number of additional group memberships that exceed said first number of additional group memberships.

3.	(Canceled)

4.	(Canceled)

5.	(Currently Amended) A method for preventing an excess user authentication token utilization condition in an enterprise computer environment, the method comprising:
calculating a number of first additional group memberships of each enterprise user that, upon creation, will result in an excess user authentication token utilization condition;
for each said enterprise user, estimating, prior to execution of an anticipated activity that impacts group memberships, a second number of additional group memberships of said enterprise user that will be created by said execution of said anticipated activity;
ascertaining that said execution of said anticipated activity results in said excess user authentication token utilization condition; and
upon completion of ascertaining execution of said anticipated activity will result in said excess user authentication token utilization condition, providing an imminent excess user authentication token utilization alert with respect to each of said enterprise users prior to said execution of said anticipated activity which will result in said excess user authentication token utilization condition and modifying said anticipated activity, prior to said execution of said anticipated activity, so as to ensure that said execution of said modified activity will not result in said excess user authentication token utilization condition.

6.	(Currently Amended) A method for ascertaining whether an excess user authentication token utilization condition is imminent in an enterprise computer environment, the method comprising:
the enterprise computer environment;
calculating a currently available user authentication token size for each of said enterprise users based on said current user authentication token size;
calculating an average group identifier size for multiple user groups in said enterprise computer environment;
based on said available user authentication token size and said average group identifier size, calculating a number of first additional group memberships of each of said enterprise users that, upon creation, will result in an excess user authentication token utilization condition, 
providing a notification output when one of said enterprise users requests an activity that will create a second number of additional group memberships that exceed said first number of additional group memberships;
providing, in response to said notification output, an imminent excess user authentication token utilization alert with respect to said one of said enterprise users prior to executing said activity that will create said second number of additional group memberships that exceed said first number of additional group memberships;
and automatically initiating a remediation process for said one of said enterprise users prior to said executing said activity that will create said second number of additional group memberships that exceed said first number of additional group memberships.

7.	(Canceled)

8.	(Canceled)

9.	(Currently Amended) The excess user authentication token utilization condition predictor of claim 2 

10.	(Currently Amended) The excess user authentication token utilization condition predictor of claim 9 
presenting a list of remediation options to said administrator; 
prompting said administrator to select one of said remediation options;

prompting said administrator to confirm said one of said remediation options; and
upon said administrator confirming said one of said remediation options, executing said one of said remediation options.

11.	(Currently Amended) The excess user authentication token utilization condition predictor of claim 10 
eliminating group membership redundancy of said user;
replacing a plurality of existing group memberships with a lesser plurality of group memberships;
replacing an existing group membership having a first group identifier of a first size with a replacement group membership having a second group identifier of a second size, smaller than said first size;
removing the existing group membership of said user; and
reducing a number of the existing group memberships by changing access permissions.

12.	(Currently Amended) The excess user authentication token utilization condition predictor of claim 2 the remediation process comprises automatically selecting a remediation option from a group of remediation options.

13.	(Currently Amended) [[A]]The method of claim 6 and wherein said remediation process comprises an administrator selectable remediation process.

14.	(Currently Amended) [[A]]The method of claim 13 
presenting a list of remediation options to said administrator; 
prompting said administrator to select one of said remediation options;
selecting, by said administrator, one of said remediation options;
prompting said administrator to confirm said one of said remediation options; and
upon said administrator confirming said one of said remediation options, executing said one of said remediation options.

The method according to claim 14 
eliminating group membership redundancy of said user;
replacing a plurality of existing group memberships with a lesser plurality of group memberships;
replacing an existing group membership having a first group identifier of a first size with a replacement group membership having a second group identifier of a second size, smaller than said first size;
removing the existing group membership of said user; and
reducing a number of the existing group memberships by changing access permissions.

16.	(Currently Amended) [[A]]The method the remediation process comprises automatically selecting a remediation option from a group of remediation options.

Reasons for Allowance
Claims 1-2, 5-6, and 9-16 are allowed.  
The following is an examiner’s statement of reasons for allowance:  The cited prior art references, do not alone or in combination teach the recited features of the independent claims 1-2, and 5-6.  In this case, the allowance is based on the combination of the recited steps and the features of the recited steps, which distinguish the claimed invention from the prior art.  For example, the independent claims all require a user authentication token (i.e. Kerberos token) associated with an activity to create additional group memberships, where:
1) Calculating a token size (excess user authentication token utilization condition, in accordance with the broadest meaning of the term in light of the specification, to be where the size of user authentication token is in excess, and so the size is calculated – see for example para. 0104 of the instant 
2) an anticipated activity performed that will create additional group memberships (for example, see claim 1, ln. 8-10; claim 2, ln. 16-17; claim 5, ln. 5-7; and claim 6, ln. 13-15 above);
 3) determining that the activity will result in a token size exceeded condition due to adding the group membership (i.e. buffer overflow of MaxTokenSize); and (for example, see claim 1, ln. 13-14; claim 2, ln. 15-18; claim 5, ln. 8-9; and claim 6, ln. 14-16 above)
4) a prevention/remedial action including an alert to be performed upon the determination.  (for example, see claim 1, ln. 15-23; claim 2, ln. 19-26; claim 5, ln. 10-16; and claim 6, ln. 14-23 above)
In particular, the prior art does not describe prior to the activity of adding a group membership to a user authentication token, ascertaining if such an activity would overflow the max token size buffer.  

Josh Sprenger, Kerberos and Access Token Limitations, GIAC directory of certified professionals [online], February 15, 2015 [retrieved on August 20, 2020], retrieved from the Internet <URL: https://web.archive.org/web/20150215022855/https://www.giac.org/paper/gsec/5111/kerberos-access-token-limitations/104962> teaches the activity of adding a group membership to a user authentication token which results in the token size exceeded.  However, Sprenger does not teach, prior to the activity, ascertaining if the activity would overflow the max token size buffer.  Instead, it teaches using scripts to monitor token size issues for users, as well as methods to remedy the issue if a token size issue appears.  
Active Directory Insights (Part 12) – MaxTokenSize [online], TechGenix, 2016 [retrieved on May 13, 2021], retrieved from the internet: <URL: https://techgenix.com/active-directory-insights-part12/>  teaches that an administrator can create a group policy setting to send an alert when a maximum predefined size for a Kerberos token is reached, before users are added to a large number of groups.  
How to Remove SID History With PowerShell [online]; Microsoft Corporation 2011 [retrieved on May 13, 2021]; retrieved from the internet: <URL: https://docs.microsoft.com/en-us/archive/blogs/ashleymcglone/how-to-remove-sid-history-with-powershell> teaches removing groups from a user token in order to lower the size of the token to prevent max token size issues.  However, this does not teach doing this step-in response to determining that adding group memberships will exceed the token size.  Instead, the reference teaches to do this as part of a process for cleaning up security ID history to reduce the chance of token size issues.  
Other references such as Balijepalli et al. (US Patent No. 10,223,541), and Callard et al (US Pub. 2017/0164229) teaches generating adaptive tokens created such that it does not exceed a specified size, or predicting a future change in buffer status, and a condition where the buffer size exceeds a threshold.  However, such references do not associate the change in buffer size with group memberships where a change in number of group memberships causes an increase in token size, nor do the references teach determining whether a activity of adding group memberships will cause an increase in token size to exceed the buffer/maximum token size.  
As for other NPL, other technique, similarly, do not teach determining, prior to an activity to increase the group memberships of a user authentication token, whether the activity causes the token to exceed its maximum token size.  For example, McPherson; Method of Implementing Group Intersection in an Access Control List; Prior Art Database; May 09, 2006 [retrieved on March 07, 2022]; <URL: https://priorart.ip.com/IPCOM/000136223> discloses that adding new groups can cause logon delays, as well as increasing the potential of reaching a maximum number of groups, and a system to, when access is requested, checking permissions to authenticate the user token.  The reference is silent on a process 
These along with the other recited features of independent claims 1-2 and 5-6 and their dependent claims make the claimed inventions allowable over the prior arts of record.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ZHE LIU whose telephone number is (571) 272-3634.  The examiner can normally be reached on Monday - Friday: 8:30 AM to 5:30 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached on (571) 272-3862.  The fax phone number for the organization where this application or proceeding is assigned is (571) 273-8300.


/Z.L./Examiner, Art Unit 2493                                                                                                                                                                                                        
/Jeremy S Duffield/Primary Examiner, Art Unit 2498