The '$userNameLengthPolicy' looks at the 'CN' of a user as well as the 'SamAccountname' instead of u (NETIQKB36690)

  • 7736690
  • 02-Feb-2007
  • 19-Jun-2007

Resolution

fact
Directory and Resource Administrator 6.x

fact
Directory and Resource Administrator 7.x

symptom
The '$userNameLengthPolicy' looks at the 'CN' of a user as well as the 'SamAccountname' instead of using the 'UPN prefix'.

symptom
When setting the '$userNameLengthPolicy' to be X number of characters for Maximum Name length, the CN of a user is used to determine compliance. 

cause

The documentation is incorrect when detailing what properties this policy validates.



fix

The documentation for the $UserNameLengthPolicy reads, "Limits the number of characters in the user logon name or the downlevel logon name". When looking at the GUI, the User Logon name maps to the UPN suffix and the downlevel logon name maps to the SamAccountName

However, if you set the policy to be 8 characters for Maximum name length and SamAccount name length and you create a user with UserlogonName with less than 8 characters and a SamAccountName less than 8 characters but a CN of more than 8, this policy will fail and the account is not created.  

If you wish to validate the UPN and the SamAccountName only, you can workaround this by creating two validation policies like the following: 

To validate the UPN for 8 characters maximum:

  1. Create a custom policy to validate a specific property.
  2. Select (class) User and (property) UserPrincipalName.
  3. Specify the following format mask :

    ?@*, ??@*, ???@*, ????@*, ?????@*, ??????@*, ???????@*, ????????@*
  4. You might consider adding to the error message the following sentence so that administrators will know what the error is: "The user logon name must be 8 characters or less."
  5. Continue with the policy wizard.

To validate the SamAccountName for 8 characters maximum:

  1. Create a custom policy to validate a specific property.
  2. Select (class) User and (property) SamAccountName.
  3. Specify the following format mask:

    ?, ??, ??, ???, ????, ?????, ??????, ???????, ????????
  4. You might consider adding to the error message the following sentence so that administrators will know what the error is: "The SamAccountname must be 8 characters or less."
  5. Continue with the policy wizard. 

An Enhancement Request is submitted to clarify in the documentation what properties this policy validates.



Additional Information

Formerly known as NETIQKB36690