According to the schema the sAMAccountName must be 0-256, however, this is one of the famous SAM Attributes, the rules of the schema are not necessarily the rules that apply to the SAM Attributes see http://blog.joeware.net/2006/01/21/222/ - which is a blog article titled "But the schema says description is multivalued." The sAMAccountname is fun because it depends on the object type it is applied to. For instance a user object peaks out at 20 even with LDAP. Localgroup names I believe could go to 256 characters if you knew how. You can definitely go that high on the local SAM on workstations. Even with NET.EXE you can create and manipulate domain local groups with greater than 20 characters. In fact I just doublechecked and easily handled creating, populating, and deleting a group with 100 characters. The pinch though is when you are trying to add that group to another group. NET.EXE screws that up and throws the usage screen. However, that doesn't mean it can't be done and that the API doesn't handle it. If you grab my LG tool from the website (http://www.joeware.net/win/free/tools/lg.htm) it will do it and I can guarantee it uses the LEGACY NET API. I wrote the main code used in that tool initially back in about 1997 or 1998 or so. I do recall in the early days of W2K some kind of an issue with group names though while importing them into AD from NT4 Domains. If the group was too long it would instead get a random sAMAccountName which I thought was quite fun. I ended up having to put in a check script after every migration to make sure that cn's and SAM Names matched up. Interestingly enough, MS has put an attribute into AD to hint at some point upcoming support for turning off the LANMAN support which artifically limits say a userid SAM Name to 20 characters called uASCompat. However, currently that attribute seems to be entirely read-only. I have not been able to find a way to change it the various times I have poked through the source code. joe
_____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Friday, January 20, 2006 12:14 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Net localgroup limitation? Hi, In AD: the sAMAccountName must be between 0 and 256 characters long the cn must be between 1 and 64 characters long I guess the NET commands are still using legacy methods When creating a group in a NT4 the limit was 20 char when you used the user manager for domains. However, using other methods (scripting or third party tooling) it was possible to pass the limit of user manager for domains. Don't remember what the real limit was/is Jorge _____ From: [EMAIL PROTECTED] on behalf of Freddy HARTONO Sent: Fri 2006-01-20 08:48 To: activedir@mail.activedir.org Subject: [ActiveDir] Net localgroup limitation? Hi Just curious is there a 19 characters limit for net localgroup commands? Just realised after trying to script a couple of things - that adding this doesn't work This works Net localgroup Administrators "domain\12345678910123456789" /ADD This doesn't work Net localgroup Administrators "domain\123456789101234567890123456" /ADD Anyone else comes up with this limitation? Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785
<<attachment: winmail.dat>>
