Re: sAMAccountName

Tech-Archive recommends: Speed Up your PC by fixing your registry

From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: 11/23/04 

Date: Tue, 23 Nov 2004 14:53:11 -0600

There are a bunch of hard-coded rules in AD that are enforced to allow it to
work the way it needs to, and these often go beyond what the schema is
capable of expressing. For example, objectSID is required for all security
principals, but you don't set that yourself either.

Additionally, some of the attributes can only contain a narrow range of
values, but the schema itself can't express that. For example,
sAMAccountName has to be unique on the domain and is limited to 20
characters for users and 64 groups and very narrow range of characters, but
the schema suggests that it can be any string between 1 and 64 characters.

ADAM tends to be more "pure" with the schema, but it also does some things
like this under the hood to support the directory logic.

Joe K.

"Nick" <me@privacy.net> wrote in message
news:OL045fY0EHA.3120@TK2MSFTNGP12.phx.gbl...
> Joe Kaplan (MVP - ADSI) wrote:
>> This is a feature of Win2K3, so any API will allow you to do the same
>> thing. If you don't specify sAMAccountName, it is created for you by the
>> directory. In Win2K AD, an error is returned instead. The underlying
>> ADSI API isn't doing anything special though.
>>
>> Am I answering your question?
>>
>> Joe K.
>
> Yes Joe.
>
> MSDN says...
>
> "Beginning with Windows Server 2003, sAMAccountName is an optional
> attribute. The server will create a random sAMAccountName value if none is
> specified."
>
> I still wonder why the schema shows the attribute as mandatory!
>
> Cheers,
>
> Nick vW
>

Relevant Pages

  • Re: sAMAccountName
    ... but the schema itself can't express that. ... characters for users and 64 groups and very narrow range of characters, ... > Joe Kaplan wrote: ... If you don't specify sAMAccountName, it is created for you by the ...
    (microsoft.public.win2000.active_directory)
  • Re: sAMAccountName
    ... but the schema itself can't express that. ... characters for users and 64 groups and very narrow range of characters, ... > Joe Kaplan wrote: ... If you don't specify sAMAccountName, it is created for you by the ...
    (microsoft.public.windows.server.active_directory)
  • Re: sAMAccountName
    ... but the schema itself can't express that. ... characters for users and 64 groups and very narrow range of characters, ... If you don't specify sAMAccountName, it is created for you by the ... >> Joe K. ...
    (microsoft.public.windows.server.active_directory)
  • Re: sql server 2005 security and schemas: an example please?
    ... First of all what vesrion of SQL Server are you using? ... permission only for schema that belongs to them. ... CREATE USER Joe FOR LOGIN Joe ... CREATE USER Paul FOR LOGIN Paul WITH DEFAULT_SCHEMA = Paul ...
    (microsoft.public.sqlserver.security)
  • Re: Help - need to change an attribute value
    ... I haven't done a ton of schema mods in my day and have never ... Joe Kaplan-MS MVP Directory Services Programming ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... All I need to change is the syntax - we have it set at "Case Sensitive ...
    (microsoft.public.windows.server.active_directory)