About a year and a half ago I have tested this as I was doing a migration from NDS to AD. Worked like a charm! (I even did tests for legacy clients like W9x as those were my biggest concern, did not find anything) The NDS groups were > 64 chars and accepted all kinds of funny chars. I had to cut them down to < 64 chars. Although the samaccountname accepts 256 chars, the full name (common name) accepts only 64 chars. And in cases like this I like to use the weakest link (smallest value) which is the length of the full name. (that us why I cut them down to < 64 chars in the NDS so I did not experience any crap during the migration) Even in NT4 you could create groups > 20 chars.... User Manager for domains allowed 20 chars and some other did the same. However, several third party tools like Hyena and others go beyond that limit. Even if you use scripts you can creare groups > 20 chars. However you will not be able to manage them with user manager for domains. To my knowledge, AD has no problem with groups > 20 chars By the way.. I remember another thread about this a while ago. Search the archives for it as I think you'll find more info on this Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : <see sender address>
________________________________ From: [EMAIL PROTECTED] on behalf of Joe Kaplan Sent: Tue 2006-06-06 02:03 To: [email protected] Subject: Re: [ActiveDir] OT: Samaccountname attribute (20 char limit) not applicable to gr oups? Sure enough, rangeUpper is 256. I'm not sure where I got that 64 thing, but I'm guessing it was from memory and that was not up to the task again. Anyone else? Is it safe or not for groups to have a sAMAccountName > 20 characters but <= 64? I'm going to assume that users definitely need to be <= 20. Joe K. ----- Original Message ----- From: Al Mulnick To: [email protected] Sent: Monday, June 05, 2006 5:46 PM Subject: Re: [ActiveDir] OT: Samaccountname attribute (20 char limit) not applicable to gr oups? Interesting. The online version I see says rangeupper is 256. Not sure how important that is, but... http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adschema/adschema/a_samaccountname.asp Given the purpose of samaccountname I have a hard time believing something doesn't rely on that being 20 chars. Not to say that they haven't been since fixed, but that's too tempting for most folks not to just say, "well, to be usable it's limited to 20 chars and since Microsoft has that number published everywhere, we'll just assume it's 20 chars all the time..." or something like that. Al List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
<<winmail.dat>>
