HI, I have a Windows 2008 R2 Domain and I recently created a user which exceeds 20 characters in length. We follow the standard of First_Last and this particular user totals 21 characters. My environment includes Windows 2003, XP, and Windows 7. I was under the impression that the 20 character limit was for pre-2000 machines. However, I tried logging in to a Windows 7 machine and it wouldn't let me until I drop the username to 20 characters. Any way to work around this? I would think Win2008 R2 would be able to do longer usernames. Let me know. Thanks

The sAMAccountName (pre-Windows 2000 logon name) is limited to 20 characters for user objects. The maximum length has not changed. Some other classes of objects, like groups, can have longer sAMAccountNames. How did you create a user with more than 20 characters in the sAMAccountName? The Common Name (value of the cn attribute) can be much longer. Richard MuellerMVP ADSI

Hi, When I said I created a username with 21 characters I meant that's what shows under User Logon name next to the @domainname.internal This username was cut off at 20 characters in the User Logon Name (pre-Windows 2000) field. I was able to login using the 21 character username using the full username@domainname.internal to a windows 7 workstation but I don't think it behaves properly since I have folder redirection applied and it didn't do it when I logged in using this format. Folder redirection is applied correctly when I log in using the 20 character username. Like you said, it looks like the sAMAccountName cannot be longer than 20... I just wanted to double check since it seems kind of limited for 2008... I understand the backwards compatibility but I was hoping that there was something similar to raising the domain functional level on a domain controller that would unlock certain features by dropping backwards compatibility.

Ah. All of the name attributes in AD get confusing. The User Logon name is actually the User Principal name. A user can logon either with their user principal name or their "pre-Windows 2000 logon" name. I you use the user principal name, you must include the DNS suffix, for example: username@domainname.internal If you use the "pre-Windows 2000 logon" name you can logon with just that name, assuming the logon dialog is pointed to your domain. If not, you can logon with DomainName\userid, where DomainName is the NetBIOS name of the domain and userid is the "pre-Windows 2000 logon" name. I forget the length restrictions for the user principal name, but it can be much longer. If no value is assigned for the user principal name, you can use the "pre-Windows 2000 logon" name instead, for example DomainName\userid. Does this help? Richard MuellerMVP ADSI

Thanks for your reply I understand I can logon as username@domainname.internal.... but folder redirection didn't work after that. So, I just told the user to user the truncated username to login since it's less typing and folder redirection works.