Here is the most recent...
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
joe
Sent: Monday, January 23, 2006 11:35 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Net localgroup limitation?
Sent: Monday, January 23, 2006 11:35 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Net localgroup limitation?
According to the schema the sAMAccountName must be
0-256, however, this is one of the famous SAM Attributes, the rules of the
schema are not necessarily the rules that apply to the SAM Attributes see
http://blog.joeware.net/2006/01/21/222/ - which is a blog article titled "But the schema says
description is multivalued."
The sAMAccountname is fun because it depends on the object
type it is applied to. For instance a user object peaks out at 20 even with
LDAP.
Localgroup names I believe could go to 256 characters if
you knew how. You can definitely go that high on the local SAM on
workstations.
Even with NET.EXE you can create and manipulate
domain local groups with greater than 20 characters. In fact I just
doublechecked and easily handled creating, populating, and deleting a group with
100 characters. The pinch though is when you are trying to add that group
to another group. NET.EXE screws that up and throws the usage screen. However,
that doesn't mean it can't be done and that the API doesn't handle it. If you
grab my LG tool from the website (http://www.joeware.net/win/free/tools/lg.htm) it will do it and I can guarantee it uses the LEGACY NET
API. I wrote the main code used in that tool initially back in about
1997 or 1998 or so.
I do recall in the early days of W2K some kind of an issue
with group names though while importing them into AD from NT4 Domains. If the
group was too long it would instead get a random sAMAccountName which I thought
was quite fun. I ended up having to put in a check script after every migration
to make sure that cn's and SAM Names matched up.
Interestingly enough, MS has put an attribute into AD to
hint at some point upcoming support for turning off the LANMAN support which
artifically limits say a userid SAM Name to 20 characters called uASCompat.
However, currently that attribute seems to be entirely read-only. I have not
been able to find a way to change it the various times I have poked through the
source code.
joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob
Sent: Wednesday, June 07, 2006 4:57 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Samaccountname attribute (20 char limit) not applicable to gr oups?
Look for the "Net localgroup limitation?" thread in January
of this year, particularly joe's message of 1/23/2006 8:35
PM
Also his message of 2/20/2005 8:37 AM in thread
"samAccountName attribute length"
Finally his listing from lmcons.h header
file in "character limit for sAMAccountNames" from 3/8/2004 7:09
PM
Sorry I don't have the links handy, those are from a search
of my personal archives.
HTH
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Tuesday, June 06, 2006 6:25 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT: Samaccountname attribute (20 char limit) not applicable to gr oups?
Jorge, if you happen to find that in the archives, please post the
link.
A quick search of the net brings back some items that seem to indicate that
greater than 20 could result in a problem with some directory sync tools.
samaccountname is listed as being expected to be 20 chars. It doesn't
differentiate between groups and users that use the samaccountname. That
just "seems" like a recipe for issues, but if you say it can be 256 without
issue, then.... (I know Joe, you're using 64 and so did Jorge, but it looks like
it was done for convenience vs. going with more chars.)
Interesting.
On 6/6/06, Almeida Pinto,
Jorge de <[EMAIL PROTECTED]>
wrote:
About a year and a half ago I have tested this as I was doing a migration from NDS to AD. Worked like a charm! (I even did tests for legacy clients like W9x as those were my biggest concern, did not find anything) The NDS groups were > 64 chars and accepted all kinds of funny chars. I had to cut them down to < 64 chars.
Although the samaccountname accepts 256 chars, the full name (common name) accepts only 64 chars. And in cases like this I like to use the weakest link (smallest value) which is the length of the full name. (that us why I cut them down to < 64 chars in the NDS so I did not experience any crap during the migration)
Even in NT4 you could create groups > 20 chars....
User Manager for domains allowed 20 chars and some other did the same. However, several third party tools like Hyena and others go beyond that limit. Even if you use scripts you can creare groups > 20 chars. However you will not be able to manage them with user manager for domains. To my knowledge, AD has no problem with groups > 20 chars
By the way.. I remember another thread about this a while ago. Search the archives for it as I think you'll find more info on this
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
( Tel : +31-(0)40-29.57.777
( Mobile : +31-(0)6-26.26.62.80
* E-mail : <see sender address>
________________________________
From: [EMAIL PROTECTED] on behalf of Joe Kaplan
Sent: Tue 2006-06-06 02:03
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT: Samaccountname attribute (20 char limit) not applicable to gr oups?
Sure enough, rangeUpper is 256. I'm not sure where I got that 64 thing, but
I'm guessing it was from memory and that was not up to the task again.
Anyone else? Is it safe or not for groups to have a sAMAccountName > 20
characters but <= 64? I'm going to assume that users definitely need to be
<= 20.
Joe K.
----- Original Message -----
From: Al Mulnick
To: ActiveDir@mail.activedir.org
Sent: Monday, June 05, 2006 5:46 PM
Subject: Re: [ActiveDir] OT: Samaccountname attribute (20 char limit) not
applicable to gr oups?
Interesting. The online version I see says rangeupper is 256. Not sure how
important that is, but...
http://msdn.microsoft.com/library/default.asp?url="">
Given the purpose of samaccountname I have a hard time believing something
doesn't rely on that being 20 chars. Not to say that they haven't been since
fixed, but that's too tempting for most folks not to just say, "well, to be
usable it's limited to 20 chars and since Microsoft has that number
published everywhere, we'll just assume it's 20 chars all the time..." or
something like that.
Al
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.