locked
How to change the sAMAccountName attribute size limit in MIIS?

    Question

  •  

    Hi  All

     

    I have a scenario where MIIS fails to create user account with sAMAccountName attribute size more than 20   characters. Active directory is installed on Windows server 2003 which specifies the upper range for  samAccountNAme as 256. How can I overcome the size limitation of MIIS AD connector for this attribute?

    Thanks in advance!

    Bobby Augustine

    Monday, April 30, 2007 8:30 PM

Answers

  • Bobby,

    you can’t specify in Active Directory a samAccountName with more than 20 characters. The schema definition (256 chars) is overruled by the SAM rules (20 chars).

    This is not a MIIS limitation but an AD restriction.

    Cheers,
    Markus

     

    ///////////////////////////////////////////////////////////////////////
    Markus Vilcinskas

    Technical Writer
    Microsoft Identity Integration Server
    mailto:markvi@microsoft.com.NO_SPAM

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Use of included script samples are subject to the terms specified at
    http://www.microsoft.com/info/copyright.htm
    ///////////////////////////////////////////////////////////////////////

     

    Tuesday, May 1, 2007 1:53 AM
    Moderator

All replies

  • Bobby,

    MIIS reads this information directly from the AD schema - what service pack are you running for MIIS?  I don't recall having an issue with this in the past and I've set fairly large group names which uses the sAMAccountName attribute.
    Tuesday, May 1, 2007 12:35 AM
  • Bobby,

    you can’t specify in Active Directory a samAccountName with more than 20 characters. The schema definition (256 chars) is overruled by the SAM rules (20 chars).

    This is not a MIIS limitation but an AD restriction.

    Cheers,
    Markus

     

    ///////////////////////////////////////////////////////////////////////
    Markus Vilcinskas

    Technical Writer
    Microsoft Identity Integration Server
    mailto:markvi@microsoft.com.NO_SPAM

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Use of included script samples are subject to the terms specified at
    http://www.microsoft.com/info/copyright.htm
    ///////////////////////////////////////////////////////////////////////

     

    Tuesday, May 1, 2007 1:53 AM
    Moderator
  •  

    Thank you Markus!

    Tuesday, May 1, 2007 3:38 PM
  • Markus,

     

    Can you reference any document supporting your position?

     

    I can easily create an object in AD with 64 characters in length using standard GUI which would set "cn", "name" and "sAMAccountName" to the same values, as well as later modify "sAMAccountName" via ADSI editor to be up to 256 characters in length. "cn" and "name" attrubutes cannot be over 64 characters with default schema.

     

    I have just tried this on w2k3 R2 forest with e2k7 schema updates.

     

    Best regards,

     

    Daniel Shlyam | Infrastructure Architect

    Avanade Inc

    c: 917-804-0236 | im: danielsh@avanade.com

    Tuesday, May 22, 2007 6:55 PM
  • The documentation says, it *should*  be 20 characters or less in order to support older clients ...

     

    http://msdn2.microsoft.com/en-us/library/ms679635.aspx

     

    Paul.

    Tuesday, May 22, 2007 7:39 PM
  • I’ve asked the developing lead of the SAM interface.

    You should try to use any of these names to logon – it should not work.

     

     

    ///////////////////////////////////////////////////////////////////////
    Markus Vilcinskas

    Technical Writer
    Microsoft Identity Integration Server
    mailto:markvi@microsoft.com.NO_SPAM

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Use of included script samples are subject to the terms specified at
    http://www.microsoft.com/info/copyright.htm
    ///////////////////////////////////////////////////////////////////////

    Tuesday, May 22, 2007 7:51 PM
    Moderator
  • I need to clarify my previous post.

     

    I can create a Group object with "sAMAccountName" attibute of 64 characters then later adjust it upwards to 256 in ADSIedit. User name IS limited to 20 characters, even in ADSIedit.

     

    Does "sAMAccountName" attribute has different size limits depending on wheather it's a group or a user name? How is it even possible?

     

    Daniel Shlyam | Infrastructure Architect

    Avanade Inc

    c: 917-804-0236 | im: danielsh@avanade.com

    Tuesday, May 22, 2007 9:13 PM
  • you can’t specify in Active Directory a samAccountName with more than 20 characters. The schema definition (256 chars) is overruled by the SAM rules (20 chars).

    This is not a MIIS limitation but an AD restriction.

    Friday, May 25, 2007 5:43 PM
  • As I mention in my post above, you CAN easily create a group with up to 64 characters in samAccountName, hence my previous question on why samAccountName is allowed to have different lenght depending on the object.
    Tuesday, May 29, 2007 9:45 PM
  • This because it is not an LDAP schema issue.

     

    It has to do with the underlying programming that sets the sAMAccountName for the user object.

     

    It's in here where the limitation is.

     

    Because it is done here the group and user can have different values.

     

    HTH,

     

    Joe

    Wednesday, May 30, 2007 5:21 PM
  • As I mention in my post above, you CAN easily create a group with up to 64 characters in samAccountName, hence my previous question on why samAccountName is allowed to have different lenght depending on the object.

    As mentioned in the thread, the sAMAccountName for users is hard-limited to 20 characters regardless of what AD schema says, probably because pre-Windows 2000 logon scheme (that is domain\username) has to maintain backwards compatibility with NT world. Think about crossing downlevel domain trusts, applications that do not understand Kerberos, NTLM authentication, and such. 

    Groups do not have that 20 characters limitation, as groups do not log on. I guess the 64 characters in MMCs is somewhat related to mailNickname generation for DLs. Longer sAMAccountName values for groups will need to be truncated for mailNickname generation.

    Some time ago I gathered some details when trying to provision to ADAM and faced similar issues, at http://blogs.technet.com/b/juanand/archive/2009/05/12/things-to-consider-when-provisioning-to-ad-adam.aspx

    HTH.

    • Proposed as answer by JuanAnD Thursday, December 13, 2012 10:10 AM
    Thursday, December 13, 2012 10:10 AM