Hi Joe,
Yeah thanks for that, I was scratching my head trying to
add a new admin group with 57 characters long.
Thank you and have a splendid day!
Kind Regards,
Freddy Hartono
Group Support
Engineer
InternationalSOS Pte Ltd
mail: [EMAIL PROTECTED]
phone: (+65)
6330-9785
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, January 24, 2006 12:35 PM
To: [email protected]
Subject: [SPAM?] RE: [ActiveDir] Net localgroup limitation?
According to the schema the sAMAccountName must be 0-256,
however, this is one of the famous SAM Attributes, the rules of the schema are
not necessarily the rules that apply to the SAM Attributes see http://blog.joeware.net/2006/01/21/222/ -
which is a blog article titled "But the schema says description is multivalued."
The sAMAccountname is fun because it depends on the object
type it is applied to. For instance a user object peaks out at 20 even with
LDAP.
Localgroup names I believe could go to 256 characters if
you knew how. You can definitely go that high on the local SAM on
workstations.
Even with NET.EXE you can create and manipulate domain
local groups with greater than 20 characters. In fact I just doublechecked and
easily handled creating, populating, and deleting a group with 100 characters.
The pinch though is when you are trying to add that group to another group.
NET.EXE screws that up and throws the usage screen. However, that doesn't mean
it can't be done and that the API doesn't handle it. If you grab my LG tool from
the website (http://www.joeware.net/win/free/tools/lg.htm)
it will do it and I can guarantee it uses the LEGACY NET API. I wrote the
main code used in that tool initially back in about 1997 or 1998 or so.
I do recall in the early days of W2K some kind of an issue
with group names though while importing them into AD from NT4 Domains. If the
group was too long it would instead get a random sAMAccountName which I thought
was quite fun. I ended up having to put in a check script after every migration
to make sure that cn's and SAM Names matched up.
Interestingly enough, MS has put an attribute into AD to
hint at some point upcoming support for turning off the LANMAN support which
artifically limits say a userid SAM Name to 20 characters called uASCompat.
However, currently that attribute seems to be entirely read-only. I have not
been able to find a way to change it the various times I have poked through the
source code.
joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de
Sent: Friday, January 20, 2006 12:14 PM
To: [email protected]
Subject: RE: [ActiveDir] Net localgroup limitation?
Hi,
In AD:
the sAMAccountName must be between 0 and
256 characters long
the cn must be between 1
and 64 characters long
I guess the NET commands are still using
legacy methods
When creating a group in a NT4 the limit
was 20 char when you used the user manager for domains. However, using other
methods (scripting or third party tooling) it was possible to pass the limit of
user manager for domains. Don't remember what the real limit was/is
Jorge
From: [EMAIL PROTECTED] on behalf of Freddy HARTONO
Sent: Fri 2006-01-20 08:48
To: [email protected]
Subject: [ActiveDir] Net localgroup limitation?
Hi
Just curious is there a 19 characters limit for net localgroup commands?
Just realised after trying to script a couple of things - that adding this doesn't work
This works
Net localgroup Administrators "domain\12345678910123456789" /ADD
This doesn't work
Net localgroup Administrators "domain\123456789101234567890123456"
/ADD
Anyone else comes up with this limitation?
Thank you and have a splendid day!
Kind Regards,
Freddy Hartono
Group Support Engineer
InternationalSOS Pte Ltd
mail:
[EMAIL PROTECTED]
phone:
(+65) 6330-9785
