Look for the "Net localgroup limitation?" thread in January
of this year, particularly joe's message of 1/23/2006 8:35
PM
Also his message of 2/20/2005 8:37 AM in thread
"samAccountName attribute length"
Finally his listing from lmcons.h header
file in "character limit for sAMAccountNames" from 3/8/2004 7:09
PM
Sorry I don't have the links handy, those are from a search
of my personal archives.
HTH
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Tuesday, June 06, 2006 6:25 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT: Samaccountname attribute (20 char limit) not applicable to gr oups?
Jorge, if you happen to find that in the archives, please post the
link.
A quick search of the net brings back some items that seem to indicate that
greater than 20 could result in a problem with some directory sync tools.
samaccountname is listed as being expected to be 20 chars. It doesn't
differentiate between groups and users that use the samaccountname. That
just "seems" like a recipe for issues, but if you say it can be 256 without
issue, then.... (I know Joe, you're using 64 and so did Jorge, but it looks like
it was done for convenience vs. going with more chars.)
Interesting.
On 6/6/06, Almeida Pinto,
Jorge de <[EMAIL PROTECTED]>
wrote:
About a year and a half ago I have tested this as I was doing a migration from NDS to AD. Worked like a charm! (I even did tests for legacy clients like W9x as those were my biggest concern, did not find anything) The NDS groups were > 64 chars and accepted all kinds of funny chars. I had to cut them down to < 64 chars.
Although the samaccountname accepts 256 chars, the full name (common name) accepts only 64 chars. And in cases like this I like to use the weakest link (smallest value) which is the length of the full name. (that us why I cut them down to < 64 chars in the NDS so I did not experience any crap during the migration)
Even in NT4 you could create groups > 20 chars....
User Manager for domains allowed 20 chars and some other did the same. However, several third party tools like Hyena and others go beyond that limit. Even if you use scripts you can creare groups > 20 chars. However you will not be able to manage them with user manager for domains. To my knowledge, AD has no problem with groups > 20 chars
By the way.. I remember another thread about this a while ago. Search the archives for it as I think you'll find more info on this
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
( Tel : +31-(0)40-29.57.777
( Mobile : +31-(0)6-26.26.62.80
* E-mail : <see sender address>
________________________________
From: [EMAIL PROTECTED] on behalf of Joe Kaplan
Sent: Tue 2006-06-06 02:03
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT: Samaccountname attribute (20 char limit) not applicable to gr oups?
Sure enough, rangeUpper is 256. I'm not sure where I got that 64 thing, but
I'm guessing it was from memory and that was not up to the task again.
Anyone else? Is it safe or not for groups to have a sAMAccountName > 20
characters but <= 64? I'm going to assume that users definitely need to be
<= 20.
Joe K.
----- Original Message -----
From: Al Mulnick
To: ActiveDir@mail.activedir.org
Sent: Monday, June 05, 2006 5:46 PM
Subject: Re: [ActiveDir] OT: Samaccountname attribute (20 char limit) not
applicable to gr oups?
Interesting. The online version I see says rangeupper is 256. Not sure how
important that is, but...
http://msdn.microsoft.com/library/default.asp?url="">
Given the purpose of samaccountname I have a hard time believing something
doesn't rely on that being 20 chars. Not to say that they haven't been since
fixed, but that's too tempting for most folks not to just say, "well, to be
usable it's limited to 20 chars and since Microsoft has that number
published everywhere, we'll just assume it's 20 chars all the time..." or
something like that.
Al
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
