aha. Good point! Reading the article carefully (as I should have done originally) user samaccountname is limited to 20 chars but the rangeupper is 256 for other objects that use that attribute.
That's ugly but makes sense :) neil -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 26 January 2006 15:47 To: [email protected] Subject: RE: [SPAM?] RE: [ActiveDir] Net localgroup limitation? Groups have sAMAccountNames too. In that case, sAMAccountNames are limited to 256 characters. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, January 26, 2006 10:11 AM To: [email protected] Subject: RE: [SPAM?] RE: [ActiveDir] Net localgroup limitation? The article refers to the attribute samAccountName - and how that is limited to 20 chars. What do you mean by 'userids' if not samaccountname? neil PS Try adding more than 20 chars to a user's samaccountname attribute (via adsiedit for e.g.) and see what happens :) -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 25 January 2006 14:21 To: [email protected] Subject: RE: [SPAM?] RE: [ActiveDir] Net localgroup limitation? Note the reference is "the logon name..." which means they are specifically thinking about userids which are limited to 20 characters. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, January 25, 2006 3:47 AM To: [email protected] Subject: RE: [SPAM?] RE: [ActiveDir] Net localgroup limitation? Refer to this article too, which suggests a limit of 20 chars - http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adschem a/adschema/a_samaccountname.asp neil -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: 25 January 2006 07:35 To: [email protected] Subject: Re: [SPAM?] RE: [ActiveDir] Net localgroup limitation? Naming conventions in Active Directory for computers, domains, sites, and OUs: http://support.microsoft.com/?kbid=909264 Study it... pop quiz in the morning... joe wrote: > So I am confused, are you good now? > > The 57 characters sounds familiar to me, that might be the limit I hit > when migrating in Domain Local groups into 2K several years ago. I > would have to look at some standards docs I wrote for that company to > be sure. I ended up just saying, ok for now on, max length of a group > is X where X was the length of the user definable part of the group > name plus the part we required for it to be in AD (basically a > building suffix and a dash for a prefix). > > ---------------------------------------------------------------------- > -- > *From:* [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] *On Behalf Of *Freddy > HARTONO > *Sent:* Tuesday, January 24, 2006 5:31 AM > *To:* [email protected] > *Subject:* RE: [SPAM?] RE: [ActiveDir] Net localgroup limitation? > > Hi Joe, > > Yeah thanks for that, I was scratching my head trying to add a new > admin group with 57 characters long. > > Thank you and have a splendid day! > > Kind Regards, > > Freddy Hartono > Group Support Engineer > InternationalSOS Pte Ltd > mail: [EMAIL PROTECTED] > phone: (+65) 6330-9785 > > > > ---------------------------------------------------------------------- > -- > *From:* [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] *On Behalf Of *joe > *Sent:* Tuesday, January 24, 2006 12:35 PM > *To:* [email protected] > *Subject:* [SPAM?] RE: [ActiveDir] Net localgroup limitation? > > According to the schema the sAMAccountName must be 0-256, however, > this is one of the famous SAM Attributes, the rules of the schema are > not necessarily the rules that apply to the SAM Attributes see > http://blog.joeware.net/2006/01/21/222/ - which is a blog article > titled "But the schema says description is multivalued." > > The sAMAccountname is fun because it depends on the object type it is > applied to. For instance a user object peaks out at 20 even with LDAP. > > Localgroup names I believe could go to 256 characters if you knew how. > You can definitely go that high on the local SAM on workstations. > > Even with NET.EXE you can create and manipulate domain local groups > with greater than 20 characters. In fact I just doublechecked and > easily handled creating, populating, and deleting a group with 100 > characters. The pinch though is when you are trying to add that group > to another group. NET.EXE screws that up and throws the usage screen. > However, that doesn't mean it can't be done and that the API doesn't > handle it. If you grab my LG tool from the website > (http://www.joeware.net/win/free/tools/lg.htm) it will do it and I can > guarantee it uses the LEGACY NET API. I wrote the main code used in > that tool initially back in about 1997 or 1998 or so. > > I do recall in the early days of W2K some kind of an issue with group > names though while importing them into AD from NT4 Domains. If the > group was too long it would instead get a random sAMAccountName which > I thought was quite fun. I ended up having to put in a check script > after every migration to make sure that cn's and SAM Names matched up. > > Interestingly enough, MS has put an attribute into AD to hint at some > point upcoming support for turning off the LANMAN support which > artifically limits say a userid SAM Name to 20 characters called > uASCompat. However, currently that attribute seems to be entirely > read-only. I have not been able to find a way to change it the various > times I have poked through the source code. > > > joe > > > > ---------------------------------------------------------------------- > -- > *From:* [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] *On Behalf Of *Almeida > Pinto, Jorge de > *Sent:* Friday, January 20, 2006 12:14 PM > *To:* [email protected] > *Subject:* RE: [ActiveDir] Net localgroup limitation? > > Hi, > > In AD: > the sAMAccountName must be between 0 and 256 characters long the cn > must be between 1 and 64 characters long > > I guess the NET commands are still using legacy methods > > When creating a group in a NT4 the limit was 20 char when you used the > user manager for domains. However, using other methods (scripting or > third party tooling) it was possible to pass the limit of user manager > for domains. Don't remember what the real limit was/is > > Jorge > > ---------------------------------------------------------------------- > -- > *From:* [EMAIL PROTECTED] on behalf of Freddy HARTONO > *Sent:* Fri 2006-01-20 08:48 > *To:* [email protected] > *Subject:* [ActiveDir] Net localgroup limitation? > > Hi > > Just curious is there a* 19 characters* limit for net localgroup > commands? > > Just realised after trying to script a couple of things - that adding > this doesn't work > > *This works* > Net localgroup Administrators "domain\12345678910123456789" /ADD > > *This doesn't work* > Net localgroup Administrators "domain\123456789101234567890123456" > /ADD > > Anyone else comes up with this limitation? > > Thank you and have a splendid day! > > Kind Regards, > > Freddy Hartono > Group Support Engineer > InternationalSOS Pte Ltd > mail: [EMAIL PROTECTED] > phone: (+65) 6330-9785 > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
