Naming conventions in Active Directory for computers, domains, sites,
and OUs:
http://support.microsoft.com/?kbid=909264
Study it... pop quiz in the morning...
joe wrote:
So I am confused, are you good now?
The 57 characters sounds familiar to me, that might be the limit I hit
when migrating in Domain Local groups into 2K several years ago. I
would have to look at some standards docs I wrote for that company to
be sure. I ended up just saying, ok for now on, max length of a group
is X where X was the length of the user definable part of the group
name plus the part we required for it to be in AD (basically a
building suffix and a dash for a prefix).
------------------------------------------------------------------------
*From:* [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] *On Behalf Of *Freddy HARTONO
*Sent:* Tuesday, January 24, 2006 5:31 AM
*To:* [email protected]
*Subject:* RE: [SPAM?] RE: [ActiveDir] Net localgroup limitation?
Hi Joe,
Yeah thanks for that, I was scratching my head trying to add a new
admin group with 57 characters long.
Thank you and have a splendid day!
Kind Regards,
Freddy Hartono
Group Support Engineer
InternationalSOS Pte Ltd
mail: [EMAIL PROTECTED]
phone: (+65) 6330-9785
------------------------------------------------------------------------
*From:* [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] *On Behalf Of *joe
*Sent:* Tuesday, January 24, 2006 12:35 PM
*To:* [email protected]
*Subject:* [SPAM?] RE: [ActiveDir] Net localgroup limitation?
According to the schema the sAMAccountName must be 0-256, however,
this is one of the famous SAM Attributes, the rules of the schema are
not necessarily the rules that apply to the SAM Attributes see
http://blog.joeware.net/2006/01/21/222/ - which is a blog article
titled "But the schema says description is multivalued."
The sAMAccountname is fun because it depends on the object type it is
applied to. For instance a user object peaks out at 20 even with LDAP.
Localgroup names I believe could go to 256 characters if you knew how.
You can definitely go that high on the local SAM on workstations.
Even with NET.EXE you can create and manipulate domain local groups
with greater than 20 characters. In fact I just doublechecked and
easily handled creating, populating, and deleting a group with 100
characters. The pinch though is when you are trying to add that group
to another group. NET.EXE screws that up and throws the usage screen.
However, that doesn't mean it can't be done and that the API doesn't
handle it. If you grab my LG tool from the website
(http://www.joeware.net/win/free/tools/lg.htm) it will do it and I can
guarantee it uses the LEGACY NET API. I wrote the main code used in
that tool initially back in about 1997 or 1998 or so.
I do recall in the early days of W2K some kind of an issue with group
names though while importing them into AD from NT4 Domains. If the
group was too long it would instead get a random sAMAccountName which
I thought was quite fun. I ended up having to put in a check script
after every migration to make sure that cn's and SAM Names matched up.
Interestingly enough, MS has put an attribute into AD to hint at some
point upcoming support for turning off the LANMAN support which
artifically limits say a userid SAM Name to 20 characters called
uASCompat. However, currently that attribute seems to be entirely
read-only. I have not been able to find a way to change it the various
times I have poked through the source code.
joe
------------------------------------------------------------------------
*From:* [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] *On Behalf Of *Almeida
Pinto, Jorge de
*Sent:* Friday, January 20, 2006 12:14 PM
*To:* [email protected]
*Subject:* RE: [ActiveDir] Net localgroup limitation?
Hi,
In AD:
the sAMAccountName must be between 0 and 256 characters long
the cn must be between 1 and 64 characters long
I guess the NET commands are still using legacy methods
When creating a group in a NT4 the limit was 20 char when you used the
user manager for domains. However, using other methods (scripting or
third party tooling) it was possible to pass the limit of user manager
for domains. Don't remember what the real limit was/is
Jorge
------------------------------------------------------------------------
*From:* [EMAIL PROTECTED] on behalf of Freddy HARTONO
*Sent:* Fri 2006-01-20 08:48
*To:* [email protected]
*Subject:* [ActiveDir] Net localgroup limitation?
Hi
Just curious is there a* 19 characters* limit for net localgroup
commands?
Just realised after trying to script a couple of things - that adding
this doesn't work
*This works*
Net localgroup Administrators "domain\12345678910123456789" /ADD
*This doesn't work*
Net localgroup Administrators "domain\123456789101234567890123456" /ADD
Anyone else comes up with this limitation?
Thank you and have a splendid day!
Kind Regards,
Freddy Hartono
Group Support Engineer
InternationalSOS Pte Ltd
mail: [EMAIL PROTECTED]
phone: (+65) 6330-9785
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
