Dynamic Local User is unable to authenticate if user name is longer that 20 characters

  • 7012860
  • 16-Jul-2013
  • 26-Oct-2015

Environment

Novell ZENworks Configuration Management 11.2 Authentication

Situation

DLU authentication fails if the user name is longer than 20 characters.
DLU account can not be created if the user name is longer than 20 characters.

Resolution

This is a Windows limitation

The SAM-Account-Name attribute (also known as the pre–Windows 2000 user logon name) is limited to 256 characters in the schema. However, for the purpose of backward compatibility the limit is 20 characters. 

Additional Information

http://technet.microsoft.com/en-us/library/active-directory-maximum-limits-scalability(v=ws.10).aspx#BKMK_FQDN

For more information, see SAM-Account-Name Attribute 

The limitation of user name having 20 characters is from windows Operating System itself and nothing to do with ZENworks. 


Please check below link that specify the restriction from Windows Operating System.


http://serverfault.com/questions/105142/windows-server-2008-r2-change-the-maximum-username-length

 

Although it says Win 2008, it is applicable even for Win 7. Also we can try manually creating the user Computer Management ->Local Users and Groups ->Users -> New User.  We cannot enter more than 20 characters for the user name.

 

The following traces shows that although we have passed entire user name ( more than 20 Chars), Windows  fails to create the user name.

 

[DEBUG] [10/12/2015 10:31:14.360] [1276] [ZenworksWindowsService] [50] [Mustermann-TesteMaximilian] [dlu policy] [] [User Account creation failed for : Mustermann-TesteMaximilian, retValue : 2202] [] [] [] [ZENworks Agent]
[DEBUG] [10/12/2015 10:31:14.392] [1276] [ZenworksWindowsService] [50] [Mustermann-TesteMaximilian] [dlu policy] [] [Exception in ApplyPolicies :
Exception Details: User creation fails

 

ZENworks DLU handler internally  uses "NetUserAdd function" to add new user to the computer.

 

https://msdn.microsoft.com/en-us/library/windows/desktop/aa370649%28v=vs.85%29.aspx

 

This method clearly says that account names are limited to 20 chars. (User account names are limited to 20 characters and group names are limited to 256 characters.