0 votes

Hello,

We are currently allowing users to submit requests for new user accounts within the domain. By default, the logon name is being formatted as %firstname%.%lastname%

However this is causing problems when creating users with names that exceed the 20 character limit for the pre-Windows-2000 user logon name.

Is there a way to work around this?

image.png

by (480 points)

1 Answer

0 votes
by (270k points)

Hello,

The restriction comes from Active Directory and is not related to Adaxes. To prohibit creating new accounts with usernames longer than 20 characters, you can set the corresponding restriction in your Property Pattern for the Logon Name property. image.png

0

Hello,

I wanted to circle back on this question. Is there a way to take the user input and truncate the username to be 20 characters instead?

Using the method you suggested just prevents users from creating the user accounts altogether if the name is too long.

0

Hello,

It can be done using a PowerShell script in a business rule triggering Before creating a user. For details, have a look at the following tutorial: https://www.adaxes.com/tutorials_SimplifyingDataEntry_ValidateModifyUserInputWithScript.htm. If you have issues writing the script yourself, please, specify what should be done in case when the truncated username is not unique? Live examples will be much appreciated.

0

Hello, thanks for providing that link. I'm still a little unsure how i should proceed though. Would you mind giving a little more detail?

Here's the scenario. We are trying to create the following user using the self service user account creation wizard in Adaxes -

First Name: Thisisaverylongfirstname

Last Name: Thisisaverylonglastname

image.png

However when we attempt to create a user with a long name it causes a failure when Adaxes attempts to create the Logon Name (SAMAccountName) because it exceeds the 20 character limit imposed by Windows.

image.png

Here are the property pattern settings for our users -

image.png

Obviously this is failing because we are trying to make the logon name the %firstname%.%lastname% which will fail in instances where the users name exceeds the 20 character limit.

Is there a way to truncate the LogonName value to the the first 20 characters of a users first+lastname in instances where they would exceed the 20 character limit?

So essentially we would need some sort of Business Rule that examines the users first and last name input values and creates a new shorter logon name if it default logon name will exceed the 20 character limit. Is this possbile?

So essentially instead of the Pre-200 Windows Logon name for this user being

DOMAIN\Thisisaverylongfirstname.Thisisaverylonglastname

it would be

DOMAIN\Thisisaverylongfirst

Thanks,

0

Hello,

Yes, as we mentioned above it can be done using a PowerShell script in a business rule triggering Before creating a user. However, applying just the truncation might not work. The thing is that usernames stored in the Logon Name (LDAP name sAMAccountName) property must be unique. This requirement comes from AD, not Adaxes. For us to provide you with the script, please, specify what should be done if after truncating the username to 20 characters it is still not unique? Maybe a different approach for generating the value should be used?

0

Hello,

Thank you for the response. Given the size of our environment, I believe that truncating the username to 20 characters should be sufficient for 99% of our use cases. I do see your point however.

In the event that a duplicate username is found would it be possible to truncate the username to 18 characters + 2 random numbers at then end.

For example -

If we had two users in our system called

"thisisaverylongfirstname"

The user's SAM account names would be as folllows -

DOMAIN\thisisaverylongfi32 DOMAIN\thisisaverylongfi14

This has me thinking now though - How do most other environments solve this problem? Am I making it more complicated than it needs to be?

0

Hello,

would it be possible to truncate the username to 18 characters + 2 random numbers at then end

Yes, it is possible.

How do most other environments solve this problem?

There is no common practice that would work for everybody as all environments are unique and have their own requirements. At the same time one of the often used practices is to initially have the username generated as first character of the first name plus last name. In case the username is not unique, digits or more characters from the first name are added.

0

Can you provide me with the script required to truncate the SAMAccount Name to 20 characters? Looking through some users in our environment and I dont anticipate running into any issues. In the event that we have a duplicate in the future we can just manually intervene and create it on the AD domain controller directly. Thanks!

0

Hello,

Find the script below. As we mentioned above, it should be executed in a business rule triggering Before creating a user.

# Get username
$currentValue = $Context.GetModifiedPropertyValue("sAMAccountName")

# Truncate username to 20 characters
$newValue = $currentValue.Substring(0, 20)
$Context.SetModifiedPropertyValue("sAMAccountName", $newValue)

Related questions

0 votes
1 answer

Example: If a user has a ' in theirname: Fred J O'neal. Normally the username is set as %lastname:lower,4%%firstname:lower,3%%initials:lower% Problem is o'nefrej would be the result. ... name", "Information") $username = #this is what I'm not sure how to do?

asked Dec 6, 2022 by mightycabal (1.0k points)
0 votes
1 answer

I’m looking for a way to take a unique number from Adaxes and use part of it to create an employee ID for the AD attribute field.

asked Dec 25, 2023 by cewilson (120 points)
0 votes
1 answer

Thanks for the info. I'm now grabbing the %adm-ManagerUserName% value, but need to remove the final 21 characters of it so it contains only their username and not our ... this in the PowerShell Script Editor for my business rule, I get the following error:

asked Mar 11, 2021 by mkvidera (60 points)
0 votes
1 answer

We were uninstalling an instance of Adaxes that half uninstalled (no longer in add/remove programs, but non-working service still present on the machine). I have tried ... how best to ensure this instance is cleanly deleted and another instance is the FSMO

asked Oct 27, 2018 by apackard (250 points)
0 votes
1 answer

I recently upgraded to version 2013.1 and since then a create user action on my help desk website no longer adds the @domainname.com to the User logon name field. ... there Exchange will not create the mailbox. Any help with this issue is appreciated. Thanks

asked May 13, 2013 by bemho (520 points)
3,326 questions
3,026 answers
7,727 comments
544,678 users