Resolution
Directory and Resource Administrator 6.x
fact
Directory and Resource Administrator 7.x
symptom
The '$userNameLengthPolicy' looks at the 'CN' of a user as well as the 'SamAccountname' instead of using the 'UPN prefix'.
symptom
When setting the '$userNameLengthPolicy' to be X number of characters for Maximum Name length, the CN of a user is used to determine compliance.
cause
The documentation is incorrect when detailing what properties this policy validates.
fix
The documentation for the $UserNameLengthPolicy reads, "Limits the number of characters in the user logon name or the downlevel logon name". When looking at the GUI, the User Logon name maps to the UPN suffix and the downlevel logon name maps to the SamAccountName.
However, if you set the policy to be 8 characters for Maximum name length and SamAccount name length and you create a user with UserlogonName with less than 8 characters and a SamAccountName less than 8 characters but a CN of more than 8, this policy will fail and the account is not created.
If you wish to validate the UPN and the SamAccountName only, you can workaround this by creating two validation policies like the following:
To validate the UPN for 8 characters maximum:
?@*, ??@*, ???@*, ????@*, ?????@*, ??????@*, ???????@*, ????????@*
To validate the SamAccountName for 8 characters maximum:
- Create a custom policy to validate a specific property.
- Select (class) User and (property) SamAccountName.
- Specify the following format mask:
?, ??, ??, ???, ????, ?????, ??????, ???????, ???????? - You might consider adding to the error message the following sentence so that administrators will know what the error is: "The SamAccountname must be 8 characters or less."
- Continue with the policy wizard.
An Enhancement Request is submitted to clarify in the documentation what properties this policy validates.