Oh no, I am not into memorizing what I can stumble upon and figure out as needed. :o)
Plus that doesn't say anything about groups. ;o) -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, January 25, 2006 2:35 AM To: [email protected] Subject: Re: [SPAM?] RE: [ActiveDir] Net localgroup limitation? Naming conventions in Active Directory for computers, domains, sites, and OUs: http://support.microsoft.com/?kbid=909264 Study it... pop quiz in the morning... joe wrote: > So I am confused, are you good now? > > The 57 characters sounds familiar to me, that might be the limit I hit > when migrating in Domain Local groups into 2K several years ago. I > would have to look at some standards docs I wrote for that company to > be sure. I ended up just saying, ok for now on, max length of a group > is X where X was the length of the user definable part of the group > name plus the part we required for it to be in AD (basically a > building suffix and a dash for a prefix). > > ---------------------------------------------------------------------- > -- > *From:* [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] *On Behalf Of *Freddy > HARTONO > *Sent:* Tuesday, January 24, 2006 5:31 AM > *To:* [email protected] > *Subject:* RE: [SPAM?] RE: [ActiveDir] Net localgroup limitation? > > Hi Joe, > > Yeah thanks for that, I was scratching my head trying to add a new > admin group with 57 characters long. > > Thank you and have a splendid day! > > Kind Regards, > > Freddy Hartono > Group Support Engineer > InternationalSOS Pte Ltd > mail: [EMAIL PROTECTED] > phone: (+65) 6330-9785 > > > > ---------------------------------------------------------------------- > -- > *From:* [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] *On Behalf Of *joe > *Sent:* Tuesday, January 24, 2006 12:35 PM > *To:* [email protected] > *Subject:* [SPAM?] RE: [ActiveDir] Net localgroup limitation? > > According to the schema the sAMAccountName must be 0-256, however, > this is one of the famous SAM Attributes, the rules of the schema are > not necessarily the rules that apply to the SAM Attributes see > http://blog.joeware.net/2006/01/21/222/ - which is a blog article > titled "But the schema says description is multivalued." > > The sAMAccountname is fun because it depends on the object type it is > applied to. For instance a user object peaks out at 20 even with LDAP. > > Localgroup names I believe could go to 256 characters if you knew how. > You can definitely go that high on the local SAM on workstations. > > Even with NET.EXE you can create and manipulate domain local groups > with greater than 20 characters. In fact I just doublechecked and > easily handled creating, populating, and deleting a group with 100 > characters. The pinch though is when you are trying to add that group > to another group. NET.EXE screws that up and throws the usage screen. > However, that doesn't mean it can't be done and that the API doesn't > handle it. If you grab my LG tool from the website > (http://www.joeware.net/win/free/tools/lg.htm) it will do it and I can > guarantee it uses the LEGACY NET API. I wrote the main code used in > that tool initially back in about 1997 or 1998 or so. > > I do recall in the early days of W2K some kind of an issue with group > names though while importing them into AD from NT4 Domains. If the > group was too long it would instead get a random sAMAccountName which > I thought was quite fun. I ended up having to put in a check script > after every migration to make sure that cn's and SAM Names matched up. > > Interestingly enough, MS has put an attribute into AD to hint at some > point upcoming support for turning off the LANMAN support which > artifically limits say a userid SAM Name to 20 characters called > uASCompat. However, currently that attribute seems to be entirely > read-only. I have not been able to find a way to change it the various > times I have poked through the source code. > > > joe > > > > ---------------------------------------------------------------------- > -- > *From:* [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] *On Behalf Of *Almeida > Pinto, Jorge de > *Sent:* Friday, January 20, 2006 12:14 PM > *To:* [email protected] > *Subject:* RE: [ActiveDir] Net localgroup limitation? > > Hi, > > In AD: > the sAMAccountName must be between 0 and 256 characters long the cn > must be between 1 and 64 characters long > > I guess the NET commands are still using legacy methods > > When creating a group in a NT4 the limit was 20 char when you used the > user manager for domains. However, using other methods (scripting or > third party tooling) it was possible to pass the limit of user manager > for domains. Don't remember what the real limit was/is > > Jorge > > ---------------------------------------------------------------------- > -- > *From:* [EMAIL PROTECTED] on behalf of Freddy HARTONO > *Sent:* Fri 2006-01-20 08:48 > *To:* [email protected] > *Subject:* [ActiveDir] Net localgroup limitation? > > Hi > > Just curious is there a* 19 characters* limit for net localgroup > commands? > > Just realised after trying to script a couple of things - that adding > this doesn't work > > *This works* > Net localgroup Administrators "domain\12345678910123456789" /ADD > > *This doesn't work* > Net localgroup Administrators "domain\123456789101234567890123456" > /ADD > > Anyone else comes up with this limitation? > > Thank you and have a splendid day! > > Kind Regards, > > Freddy Hartono > Group Support Engineer > InternationalSOS Pte Ltd > mail: [EMAIL PROTECTED] > phone: (+65) 6330-9785 > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
