Identify overpriviledged users based on Kerberos token size
The size of a Kerberos token is a good indicator for identifying users with excessive access rights. The more group memberships a user has, the bigger their Kerberos token. Even if a group membership does not automatically grant privileges, it is worthwhile analyzing the listed users.
In addition, there is a risk that users with too many group memberships will no longer be able to login.