Max Length of AD Names for Security

  • The reason I ask is because I'm currently using a VBS script that I found that interrogates the same AD data as NET USER and NET GROUP. Both of those commands truncate user and group names at 20 characters, just as you say. But the VBS has returned much longer names from AD for me.

    Yeah AD doesn't have the limitation, it's only with the SQL components. So the problem is that if you have two descriptive group names as mentioned before, one with _read and one with _write, they would both truncate when being added to SQL before the underscore and therefore the second one would fail creation in SQL.

    Everything I've read says it's an outdated (pre-2000) standard that Microsoft hasn't seen fit to fix.

    We had to come up with an abbreviated standard to use in order to get our security plan in place.

    3 character unique server abbreviation

    Underscore

    Up to 14 characters for DB name

    Underscore

    1 character for function (read/write/execute)

    Example:

    SER_LongDatabaseNm_R

    SER_LongDatabaseNm_W

    SER_LongDatabaseNm_X

    Owner & Principal SQL Server Consultant
    Im Your DBA, Inc.
    https://www.imyourdba.com/

  • Perry Whittle (11/6/2014)


    SQLJocky (11/6/2014)


    .if you enter the entire login to the "Z" on the service account, it will fail.

    Yes of course how silly of me, you make no reference to service accounts here!!

    My mistake. That was a typo...should have referenced security group...but the complaint still stands with "service accounts" as well. Any AD object (account or group) is truncated at 20 characters after the "\".

    Owner & Principal SQL Server Consultant
    Im Your DBA, Inc.
    https://www.imyourdba.com/

  • SQLJocky (11/6/2014)


    Perry Whittle (11/6/2014)


    SQLJocky (11/6/2014)


    .if you enter the entire login to the "Z" on the service account, it will fail.

    Yes of course how silly of me, you make no reference to service accounts here!!

    My mistake. That was a typo...should have referenced security group...but the complaint still stands with "service accounts" as well. Any AD object (account or group) is truncated at 20 characters after the "\".

    I'm just not having such a problem. I have AD accounts and groups that are well over 20 characters. Like I said, things like NET GROUP and NET USER truncate them but that's just left overs from the ol' Lan Manager days.

    --Jeff Moden


    RBAR is pronounced "ree-bar" and is a "Modenism" for Row-By-Agonizing-Row.
    First step towards the paradigm shift of writing Set Based code:
    ________Stop thinking about what you want to do to a ROW... think, instead, of what you want to do to a COLUMN.

    Change is inevitable... Change for the better is not.


    Helpful Links:
    How to post code problems
    How to Post Performance Problems
    Create a Tally Function (fnTally)

  • SQLJocky (11/6/2014)


    Any AD object (account or group) is truncated at 20 characters after the "\".

    This is what i see on my Windows 2012 server running SQL Server 2014

    What OS and SQL Server version are you using?

    -----------------------------------------------------------------------------------------------------------

    "Ya can't make an omelette without breaking just a few eggs" 😉

  • the 20 characters limit rings a bell, but only for Reporting Server service accounts !

    Johan

    Learn to play, play to learn !

    Dont drive faster than your guardian angel can fly ...
    but keeping both feet on the ground wont get you anywhere :w00t:

    - How to post Performance Problems
    - How to post data/code to get the best help[/url]

    - How to prevent a sore throat after hours of presenting ppt

    press F1 for solution, press shift+F1 for urgent solution 😀

    Need a bit of Powershell? How about this

    Who am I ? Sometimes this is me but most of the time this is me

  • What OS and SQL Server version are you using?

    Very interesting. I've tried it on multiple environments (2005, 2008R2, 2012)...the one I'm referencing here was tested on Windows Server 2008R2 Enterprise and SQL Server 2012 SP1 Enterprise. And I've seen a lot of other postings with people experiencing the same thing...but I do have a faint memory of not having this problem at a previous employer years ago.

    So if neither you nor Jeff are seeing the same behavior, it would lead me to wonder if it's not something in the implementation of AD...a version, a setting, how the account was created, etc. I may work with our AD admin to see if we can narrow it down from that angle. Thank you both for sharing your experiences on the matter, and I apologize for the curtness of my previous post...was frustrated at that moment. 🙂

    Owner & Principal SQL Server Consultant
    Im Your DBA, Inc.
    https://www.imyourdba.com/

  • Interesting discussion on the maximum login lengths. My experience:

    You can create an AD Login of any size up to the max allowed.

    However, if two AD logins that have the identical first 20 characters SQL Server will always choose only one of the two accounts. E.g.

    Domain\IAmAMeaningfulNameSpace has READ rights to the EveryoneAtWork table.

    Domain\IAmAMeaningfulNameSponsor has CHANGE rights to the EveryoneAtWork table.

    So, if Domain\IAmAMeaningfulNameSpace wins the lottery for the IAmAMeaningfulNameSp token, then Domain\IAmAMeaningfulNameSponsor will not be able to change the EveryoneAtWork table.

    Can someone ELSE Verify this Behavior?

Viewing 7 posts - 16 through 21 (of 21 total)

You must be logged in to reply to this topic. Login to reply