I think now I have around 3500+ groups that has way long CN and displayname mostly created by ADC, so in the samaccountname its only taking the first 20 characters...Personally i prefer shortnames as exchange only uses displayname for address book so it doesnt matter whats the samaccountname or the cn for the group.I'm thinking of writing a script that renames the long cn and samaccountname of the groups created by ADC to incremental groups - such as example singroup1, singroup2, singroup3 (sin = singapore)Any comments whether it will break any functionality... or is this a bad idea?Thank you and have a splendid day!
Kind Regards,
Freddy Hartono
Group Support Engineer
InternationalSOS Pte Ltd
mail: [EMAIL PROTECTED]
phone: (+65) 6330-9785
From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Brian Desmond
Sent: Thursday, June 08, 2006 12:38 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Samaccountname attribute (20 char limit) not applicable to gr oups?
I have a customer with tens of thousands of what I would call long group names (<=50 chars because of a bug in the app that owns them) and I haven't seen any group name related issue … I also haven't fully followed this thread so I may not be understanding the issue.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of joe
Sent: Wednesday, June 07, 2006 11:06 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Samaccountname attribute (20 char limit) not applicable to gr oups?
Well for normal AD there is no reason to handle them unless for some reason you don't want them anymore. As for the ADC... It is a temporary POS... I am not sure how much changing of the environment I would do to support it. I would start looking at telling it to stop dorking with things.
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Freddy HARTONO
Sent: Wednesday, June 07, 2006 10:54 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Samaccountname attribute (20 char limit) not applicable to gr oups?Interesting read...
So since i have thousands of groups with pretty long names - any suggestions on how do you handle long groupnames? Do you create a short groupname and put the long description on it...?
Thank you and have a splendid day!
Kind Regards,
Freddy Hartono
Group Support Engineer
InternationalSOS Pte Ltd
mail: [EMAIL PROTECTED]
phone: (+65) 6330-9785
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of joe
Sent: Thursday, June 08, 2006 9:50 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Samaccountname attribute (20 char limit) not applicable to gr oups?Here is the most recent...
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of joe
Sent: Monday, January 23, 2006 11:35 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Net localgroup limitation?According to the schema the sAMAccountName must be 0-256, however, this is one of the famous SAM Attributes, the rules of the schema are not necessarily the rules that apply to the SAM Attributes see http://blog.joeware.net/2006/01/21/222/ - which is a blog article titled "But the schema says description is multivalued."
The sAMAccountname is fun because it depends on the object type it is applied to. For instance a user object peaks out at 20 even with LDAP.
Localgroup names I believe could go to 256 characters if you knew how. You can definitely go that high on the local SAM on workstations.
Even with NET.EXE you can create and manipulate domain local groups with greater than 20 characters. In fact I just doublechecked and easily handled creating, populating, and deleting a group with 100 characters. The pinch though is when you are trying to add that group to another group. NET.EXE screws that up and throws the usage screen. However, that doesn't mean it can't be done and that the API doesn't handle it. If you grab my LG tool from the website ( http://www.joeware.net/win/free/tools/lg.htm ) it will do it and I can guarantee it uses the LEGACY NET API. I wrote the main code used in that tool initially back in about 1997 or 1998 or so.
I do recall in the early days of W2K some kind of an issue with group names though while importing them into AD from NT4 Domains. If the group was too long it would instead get a random sAMAccountName which I thought was quite fun. I ended up having to put in a check script after every migration to make sure that cn's and SAM Names matched up.
Interestingly enough, MS has put an attribute into AD to hint at some point upcoming support for turning off the LANMAN support which artifically limits say a userid SAM Name to 20 characters called uASCompat. However, currently that attribute seems to be entirely read-only. I have not been able to find a way to change it the various times I have poked through the source code.
joe
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Free, Bob
Sent: Wednesday, June 07, 2006 4:57 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Samaccountname attribute (20 char limit) not applicable to gr oups?Look for the "Net localgroup limitation?" thread in January of this year, particularly joe's message of 1/23/2006 8:35 PM
Also his message of 2/20/2005 8:37 AM in thread "samAccountName attribute length"
Finally his listing from lmcons.h header file in "character limit for sAMAccountNames" from 3/8/2004 7:09 PM
Sorry I don't have the links handy, those are from a search of my personal archives.
HTH
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Al Mulnick
Sent: Tuesday, June 06, 2006 6:25 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT: Samaccountname attribute (20 char limit) not applicable to gr oups?Jorge, if you happen to find that in the archives, please post the link.
A quick search of the net brings back some items that seem to indicate that greater than 20 could result in a problem with some directory sync tools.
samaccountname is listed as being expected to be 20 chars. It doesn't differentiate between groups and users that use the samaccountname. That just "seems" like a recipe for issues, but if you say it can be 256 without issue, then.... (I know Joe, you're using 64 and so did Jorge, but it looks like it was done for convenience vs. going with more chars.)
Interesting.
On 6/6/06, Almeida Pinto, Jorge de <[EMAIL PROTECTED] > wrote:
About a year and a half ago I have tested this as I was doing a migration from NDS to AD. Worked like a charm! (I even did tests for legacy clients like W9x as those were my biggest concern, did not find anything) The NDS groups were > 64 chars and accepted all kinds of funny chars. I had to cut them down to < 64 chars.
Although the samaccountname accepts 256 chars, the full name (common name) accepts only 64 chars. And in cases like this I like to use the weakest link (smallest value) which is the length of the full name. (that us why I cut them down to < 64 chars in the NDS so I did not experience any crap during the migration)
Even in NT4 you could create groups > 20 chars....
User Manager for domains allowed 20 chars and some other did the same. However, several third party tools like Hyena and others go beyond that limit. Even if you use scripts you can creare groups > 20 chars. However you will not be able to manage them with user manager for domains. To my knowledge, AD has no problem with groups > 20 chars
By the way.. I remember another thread about this a while ago. Search the archives for it as I think you'll find more info on this
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
( Tel : +31-(0)40-29.57.777
( Mobile : +31-(0)6- 26.26.62.80
* E-mail : <see sender address>
________________________________
From: [EMAIL PROTECTED] on behalf of Joe Kaplan
Sent: Tue 2006-06-06 02:03
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT: Samaccountname attribute (20 char limit) not applicable to gr oups?
Sure enough, rangeUpper is 256. I'm not sure where I got that 64 thing, but
I'm guessing it was from memory and that was not up to the task again.
Anyone else? Is it safe or not for groups to have a sAMAccountName > 20
characters but <= 64? I'm going to assume that users definitely need to be
<= 20.
Joe K.
----- Original Message -----
From: Al Mulnick
To: ActiveDir@mail.activedir.org
Sent: Monday, June 05, 2006 5:46 PM
Subject: Re: [ActiveDir] OT: Samaccountname attribute (20 char limit) not
applicable to gr oups?
Interesting. The online version I see says rangeupper is 256. Not sure how
important that is, but...
http://msdn.microsoft.com/library/default.asp?url="">
Given the purpose of samaccountname I have a hard time believing something
doesn't rely on that being 20 chars. Not to say that they haven't been since
fixed, but that's too tempting for most folks not to just say, "well, to be
usable it's limited to 20 chars and since Microsoft has that number
published everywhere, we'll just assume it's 20 chars all the time..." or
something like that.
Al
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
Actually, I would consider it a good idea unless you have a specific reason not to. What really uses the group samaccountname? Users won't typically see it, so it's relegated to backroom work. Making the cn and samaccountname would, in my opinion, be a best practice. In the case of Exchange, I would make any attribute that built off of that or might be used, such as alias, the same as any other attribute that might get used. Consistency is the goal there. Naming policies that take this into account are something that I've seen save a lot of issues later.
Exchange is something would be notoriously touchy about consistency. I can think of several occassions having been bit by inconsistencies that *should* have been fine that resulted in outages, head scratching, and general unhappiness in the user community. UPN and OWA would be a combination that comes to mind. Hence my suggestion that consistency be imposed and unique naming standards for attributes be utilized and enforced. The more you scale, the more likely you'll run into this issue. These days, if you scale way up, chances are good you've outsourced some or all of your support making the fixing and the cost of living with the issue much higher as well. May as well get it out of the way on the ground floor.
Al
On 6/8/06, Freddy HARTONO <[EMAIL PROTECTED]> wrote:
- RE: [ActiveDir] OT: Samaccountname attribute (20 char limit... Freddy HARTONO
- Re: [ActiveDir] OT: Samaccountname attribute (20 char ... Al Mulnick
