locked
I am having problem in Windows 2003 AD adding computer accounts.. RRS feed

  • Question

  • Hi All

    I am getting this below error

    This property is limited to 64 values.
    You must remove some of the existing values before you can add ones.


    Requirement : I am having common user in AD and need to restrict login for only 100 systems

    In AD USer properties when I restrict the systems by seting on Account >> Log On To >> add computers
    I can add only 64 beyond this I am not able to add computer names ..

    Please let me know how can I achive this solution to add 100 systems login to particular user account..


    N

    Friday, March 2, 2012 5:03 PM

Answers

  • This article verifies what I guessed:

    http://support.microsoft.com/kb/938458

    The ADUC interface limits the number of names to 64, because each can be up to 16 characters,  and 16 * 64 = 1024, the maximum length for the userWorkstations attribute.

    First, if the average length of your computer names is 10 characters or less, you don't need to modify the attribute in the schema. You just need to bypass the ADUC GUI and do this in a script. For example, the following VBScript program outputs the current value of the userWorkstations attribute for a specified user:

    Option Explicit

    Dim objUser, strWorkstations

    ' Bind to the user object, using the distinguished name of the user.
    Set objUser = GetObject("LDAP://cn=Jim Smith,ou=West,dc=MyDomain,dc=com")

    ' Retrieve value of userWorkstations attribute.
    strWorkstations = objUser.userWorkstations

    ' Echo to the screen so it can be redirected to a text file.
    Wscript.Echo strWorkstations

    -----

    You would run this at a command prompt using the cscript host program, so you can redirect the output to a text file. For example, if the program is saved in the file ReadWorkSta.vbs, you would use:

    cscript //nologo ReadWorkSta.vbs > report.txt

    The value will be a comma delimited list of computer NetBIOS names. Then add the additional names you need, comma delimited. If the overall length is less than 1024 characters, you can use a script similar to below to save the modified value for the user. I would paste the value from the text file into this program, so you don't need extra code to read the text file. For example:

    Option Explicit

    Dim objUser, strWorkstations

    ' Bind to the user object, using the distinguished name of the user.
    Set objUser = GetObject("LDAP://cn=Jim Smith,ou=West,dc=MyDomain,dc=com")

    ' Specify new value of userWorkstations attribute.
    ' This value can be up to 1024 characters long.
    strWorkstations = "computer2,alpha,beta,computer5,zeta"

    ' Assign the new value.
    objUser.userWorkstations = strWorkstations

    ' Save in AD.
    objUser.SetInfo

    -----

    I'd be shocked this doesn't work (as long as the value is less than 1024 characters), but I have not tested. Finally, if this fails, or your 100 computer names results in a string over 1024 characters (including commas I assume), then you must modify the rangeUpper property of the userWorkstations attribute. I use ADSI Edit. All of the attribute objects are in the "cn=Schema,cn=Configuration,dc=MyDomain,dc=com" container, where you domain is mydomain.com. The attribute name is User-Workstations (the LDAPDisplayName, which must be used in scripts, is userWorkstations). When you view properties of this attribute object you will see that the value of the rangeUpper property is 1024. This can be increased to meet your needs, although the artical I linked recommends a max of 8192. You can edit this in ADSI Edit. Another option would be to VBScript to bind to the attribute object, modify the rangeUpper property, and save in AD. My guess is that after modifying the rangeUpper value, the ADUC GUI won't know about this, and will still enforce the 64 name limit. I suspect you will need to use a script to assign the large value. I hope this helps.


    Richard Mueller - MVP Directory Services

    • Proposed as answer by Aiden_Cao Tuesday, March 6, 2012 8:05 AM
    • Marked as answer by Aiden_Cao Monday, March 12, 2012 1:38 AM
    Saturday, March 3, 2012 12:08 AM

All replies

  • I didn't know there was a limit of 64 NetBIOS names in the userWorkstations attribute. The attribute is limited to 1024 characters, however. Are you getting this error in ADUC? Perhaps the GUI has a hard coded limit. If so, you might be able to assign more names using a script, but you would still be limited to 1024 characters, including the commas that separate the names (you can view this in the Attribute Editor of ADUC on Windows Server 2008, or in ADSI Edit).

    If the GUI limits you to 64 names, and you can't specify 100 names in 1024 characters in a script, then a solution would be to modify the attribute properties in the schema. You would change the rangeUpper attribute of the userWorkstations attribute from 1024 to perhaps 2048.


    Richard Mueller - MVP Directory Services

    Friday, March 2, 2012 5:54 PM
  • Thanks for the info.. hope you are recommending to modify the scheme in ADSI can you please tell me the right place and path

    in changing the schema..

    Beyond 64 Hostnames or computer names I cannot specifiy

    In AD USer properties when I restrict the systems by seting on Account >> Log On To >> add computers
    I can add only 64 computer names beyond this I am not able to add computer names ..


    N

    Friday, March 2, 2012 9:32 PM
  • This article verifies what I guessed:

    http://support.microsoft.com/kb/938458

    The ADUC interface limits the number of names to 64, because each can be up to 16 characters,  and 16 * 64 = 1024, the maximum length for the userWorkstations attribute.

    First, if the average length of your computer names is 10 characters or less, you don't need to modify the attribute in the schema. You just need to bypass the ADUC GUI and do this in a script. For example, the following VBScript program outputs the current value of the userWorkstations attribute for a specified user:

    Option Explicit

    Dim objUser, strWorkstations

    ' Bind to the user object, using the distinguished name of the user.
    Set objUser = GetObject("LDAP://cn=Jim Smith,ou=West,dc=MyDomain,dc=com")

    ' Retrieve value of userWorkstations attribute.
    strWorkstations = objUser.userWorkstations

    ' Echo to the screen so it can be redirected to a text file.
    Wscript.Echo strWorkstations

    -----

    You would run this at a command prompt using the cscript host program, so you can redirect the output to a text file. For example, if the program is saved in the file ReadWorkSta.vbs, you would use:

    cscript //nologo ReadWorkSta.vbs > report.txt

    The value will be a comma delimited list of computer NetBIOS names. Then add the additional names you need, comma delimited. If the overall length is less than 1024 characters, you can use a script similar to below to save the modified value for the user. I would paste the value from the text file into this program, so you don't need extra code to read the text file. For example:

    Option Explicit

    Dim objUser, strWorkstations

    ' Bind to the user object, using the distinguished name of the user.
    Set objUser = GetObject("LDAP://cn=Jim Smith,ou=West,dc=MyDomain,dc=com")

    ' Specify new value of userWorkstations attribute.
    ' This value can be up to 1024 characters long.
    strWorkstations = "computer2,alpha,beta,computer5,zeta"

    ' Assign the new value.
    objUser.userWorkstations = strWorkstations

    ' Save in AD.
    objUser.SetInfo

    -----

    I'd be shocked this doesn't work (as long as the value is less than 1024 characters), but I have not tested. Finally, if this fails, or your 100 computer names results in a string over 1024 characters (including commas I assume), then you must modify the rangeUpper property of the userWorkstations attribute. I use ADSI Edit. All of the attribute objects are in the "cn=Schema,cn=Configuration,dc=MyDomain,dc=com" container, where you domain is mydomain.com. The attribute name is User-Workstations (the LDAPDisplayName, which must be used in scripts, is userWorkstations). When you view properties of this attribute object you will see that the value of the rangeUpper property is 1024. This can be increased to meet your needs, although the artical I linked recommends a max of 8192. You can edit this in ADSI Edit. Another option would be to VBScript to bind to the attribute object, modify the rangeUpper property, and save in AD. My guess is that after modifying the rangeUpper value, the ADUC GUI won't know about this, and will still enforce the 64 name limit. I suspect you will need to use a script to assign the large value. I hope this helps.


    Richard Mueller - MVP Directory Services

    • Proposed as answer by Aiden_Cao Tuesday, March 6, 2012 8:05 AM
    • Marked as answer by Aiden_Cao Monday, March 12, 2012 1:38 AM
    Saturday, March 3, 2012 12:08 AM
  • Hi Nandak,

    How are things going? I just want to check if the information provided was helpful. If there is any update or concern, please feel free to let us know.


    Best Regards,
    Aiden


    Aiden Cao

    TechNet Community Support

    Tuesday, March 6, 2012 8:07 AM
  • Very impressive. . I've been looking for a solution like this forever. So is it just the ADUC gui restricted? Because I was using short NETBIOS names it still wouldn't let me get over 64 names. I even tested with one letter computer names and it didn't work.
    Friday, September 13, 2013 3:35 PM