Token bloat comes up more than people expect during AD migrations, and I've seen it...

Token bloat comes up more than people expect during AD migrations, and I've seen it surface in two very different environments recently. The first wasn't a shock. Over 100K users, years of continuous acquisitions and divestitures, and a directory that had absorbed multiple forests without much cleanup along the way. By the time we were doing pre-migration assessment, Kerberos token size was already a problem for a meaningful slice of the user population. Group membership had accumulated across years of M&A activity and nobody had gone back to rationalize it. That kind of environment almost always has token bloat baked in. The second one caught me off guard. Roughly 20K users, minimal M&A history, no obvious red flags on the surface. But when we started digging into group nesting and SID history during assessment, the token picture was worse than the environment size suggested. The directory had just grown organically over time, with groups stacking on groups in ways that made operational sense at the moment but nobody had ever audited. Both cases reinforced the same thing for me. Token bloat isn't just an M&A problem. It's a directory hygiene problem, and migrations have a way of exposing it at the worst possible time if you don't look for it during assessment. If you're heading into a migration, are you building token analysis into your pre-wave testing, or is that something you're finding out about after the first cutover?