RE: [ActiveDir] OT: Samaccountname attribute (20 char limit) not applicable to gr oups?

[Brian Desmond]

I have a customer with tens of thousands of what I would call long group names (<=50 chars because of a bug in the app that owns them) and I haven’t seen any group name related issue … I also haven’t fully followed this thread so I may not be understanding the issue.   Thanks, Brian Desmond [EMAIL PROTECTED]   c - 312.731.3132   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, June 07, 2006 11:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Samaccountname attribute (20 char limit) not applicable to gr oups?   Well for normal AD there is no reason to handle them unless for some reason you don't want them anymore. As for the ADC... It is a temporary POS... I am not sure how much changing of the environment I would do to support it. I would start looking at telling it to stop dorking with things.   -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm        From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Freddy HARTONO Sent: Wednesday, June 07, 2006 10:54 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Samaccountname attribute (20 char limit) not applicable to gr oups? Interesting read...   So since i have thousands of groups with pretty long names - any suggestions on how do you handle long groupnames? Do you create a short groupname and put the long description on it...?   Thank you and have a splendid day!   Kind Regards,   Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785       From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, June 08, 2006 9:50 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Samaccountname attribute (20 char limit) not applicable to gr oups? Here is the most recent...     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, January 23, 2006 11:35 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Net localgroup limitation? According to the schema the sAMAccountName must be 0-256, however, this is one of the famous SAM Attributes, the rules of the schema are not necessarily the rules that apply to the SAM Attributes see http://blog.joeware.net/2006/01/21/222/ - which is a blog article titled "But the schema says description is multivalued."   The sAMAccountname is fun because it depends on the object type it is applied to. For instance a user object peaks out at 20 even with LDAP.   Localgroup names I believe could go to 256 characters if you knew how. You can definitely go that high on the local SAM on workstations.   Even with NET.EXE you can create and manipulate domain local groups with greater than 20 characters. In fact I just doublechecked and easily handled creating, populating, and deleting a group with 100 characters. The pinch though is when you are trying to add that group to another group. NET.EXE screws that up and throws the usage screen. However, that doesn't mean it can't be done and that the API doesn't handle it. If you grab my LG tool from the website (http://www.joeware.net/win/free/tools/lg.htm) it will do it and I can guarantee it uses the LEGACY NET API. I wrote the main code used in that tool initially back in about 1997 or 1998 or so.   I do recall in the early days of W2K some kind of an issue with group names though while importing them into AD from NT4 Domains. If the group was too long it would instead get a random sAMAccountName which I thought was quite fun. I ended up having to put in a check script after every migration to make sure that cn's and SAM Names matched up.   Interestingly enough, MS has put an attribute into AD to hint at some point upcoming support for turning off the LANMAN support which artifically limits say a userid SAM Name to 20 characters called uASCompat. However, currently that attribute seems to be entirely read-only. I have not been able to find a way to change it the various times I have poked through the source code.        joe         -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm        From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Wednesday, June 07, 2006 4:57 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Samaccountname attribute (20 char limit) not applicable to gr oups? Look for the "Net localgroup limitation?" thread in January of this year, particularly joe's message of  1/23/2006 8:35 PM   Also his message of 2/20/2005 8:37 AM in thread "samAccountName attribute length"   Finally his listing from lmcons.h header file in "character limit for sAMAccountNames" from 3/8/2004 7:09 PM   Sorry I don't have the links handy, those are from a search of my personal archives.   HTH     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Tuesday, June 06, 2006 6:25 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: Samaccountname attribute (20 char limit) not applicable to gr oups? Jorge, if you happen to find that in the archives, please post the link.    A quick search of the net brings back some items that seem to indicate that greater than 20 could result in a problem with some directory sync tools.   samaccountname is listed as being expected to be 20 chars.  It doesn't differentiate between groups and users that use the samaccountname.  That just "seems" like a recipe for issues, but if you say it can be 256 without issue, then.... (I know Joe, you're using 64 and so did Jorge, but it looks like it was done for convenience vs. going with more chars.)   Interesting.   On 6/6/06, Almeida Pinto, Jorge de <[EMAIL PROTECTED]> wrote: About a year and a half ago I have tested this as I was doing a migration from NDS to AD. Worked like a charm! (I even did tests for legacy clients like W9x as those were my biggest concern, did not find anything) The NDS groups were > 64 chars and accepted all kinds of funny chars. I had to cut them down to < 64 chars. Although the samaccountname accepts 256 chars, the full name (common name) accepts only 64 chars. And in cases like this I like to use the weakest link (smallest value) which is the length of the full name. (that us why I cut them down to < 64 chars in the NDS so I did not experience any crap during the migration) Even in NT4 you could create groups > 20 chars.... User Manager for domains allowed 20 chars and some other did the same. However, several third party tools like Hyena and others go beyond that limit. Even if you use scripts you can creare groups > 20 chars. However you will not be able to manage them with user manager for domains. To my knowledge, AD has no problem with groups > 20 chars By the way.. I remember another thread about this a while ago. Search the archives for it as I think you'll find more info on this Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) (   Tel     : +31-(0)40-29.57.777 (   Mobile : +31-(0)6-26.26.62.80 *   E-mail : <see sender address> ________________________________ From: [EMAIL PROTECTED] on behalf of Joe Kaplan Sent: Tue 2006-06-06 02:03 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: Samaccountname attribute (20 char limit) not applicable to gr oups? Sure enough, rangeUpper is 256.  I'm not sure where I got that 64 thing, but I'm guessing it was from memory and that was not up to the task again. Anyone else?  Is it safe or not for groups to have a sAMAccountName > 20 characters but <= 64?  I'm going to assume that users definitely need to be <= 20. Joe K. ----- Original Message ----- From: Al Mulnick To: ActiveDir@mail.activedir.org Sent: Monday, June 05, 2006 5:46 PM Subject: Re: [ActiveDir] OT: Samaccountname attribute (20 char limit) not applicable to gr oups? Interesting.  The online version I see says rangeupper is 256.  Not sure how important that is, but... http://msdn.microsoft.com/library/default.asp?url=""> Given the purpose of samaccountname I have a hard time believing something doesn't rely on that being 20 chars. Not to say that they haven't been since fixed, but that's too tempting for most folks not to just say, "well, to be usable it's limited to 20 chars and since Microsoft has that number published everywhere, we'll just assume it's 20 chars all the time..." or something like that. Al List info   : http://www.activedir.org/List.aspx List FAQ    : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.