问题
I'm trying to programatically create a new Active Directory user setting the sAMAccountName attribute with a value larger than 20 chars.
When I call the DirectoryEntry.CommitChanges(), I get the error:
00000523: SysErr: DSID-031A0FB6, problem 22 (Invalid argument), data 0
If I try to create a new user setting the sAMAccountName smaller than 20 chars everything work.
Before someone says the the limit of the sAMAccountName is 20 chars, I want to point out that if I try to create the same user having the sAMAccountName more than 20 chars using the Windows tool "Active Directory Users and Computers" everything works. I can see the new entry in AD using the LDP tool and the entry has the sAMAccountName with more than 20 chars.
Why can't I create the user programatically using .NET?
Below is the code I'm using:
Using objDirEnt As DirectoryEntry = New DirectoryEntry("LDAP://my.domain.com/cn=Users,dc=my,dc=domain,dc=com", "username", "Password", AuthenticationTypes.Secure Or AuthenticationTypes.Sealing)
Using usuario As DirectoryEntry = objDirEnt.Children.Add("CN=aaaaaa bbbbbbbbbb ccccccccc (aaaaaa.bbbbbb.ccccccccc)", "user")
usuario.Properties("sAMAccountName").Value = "aaaaaa.bbbbbb.ccccccccc"
usuario.Properties("userAccountControl").Value = AdsUserFlags.PasswordNotRequired
usuario.Properties("name").Value = "aaaaaa bbbbbbbbbb ccccccccc"
usuario.Properties("givenName").Value = "aaaaaa"
usuario.Properties("sn").Value = "bbbbbbbbbb ccccccccc"
usuario.CommitChanges()
End Using
End Using
回答1:
the default restriction for this field is less than 20 chars according to this article: http://msdn.microsoft.com/en-us/library/ms679635.aspx i've not tried to create a user with a 20chars sAMAccountName but maybe its possible with the Novell LDAP Library. I had to use it because we needed to support other LDAP services too. http://www.novell.com/coolsolutions/feature/11204.html
I also found these posts: https://serverfault.com/questions/344815/how-to-add-a-user-in-active-directory-with-name-longer-than-20-characters
回答2:
As explain by @stylefish, according to Microsoft documentation it's a feature. You perhaps can put there, by some way more than 20 caracters but I'am quite sure that 20 first caracters must be uniq into the forest.
If you want to use more characters for the user login, you must use the userPrincipalName (in the form login@Dns-Domain). In the W2K3 schema the length of this attribute is limited to 1023 caracters. You can compute a digest MD5 to compute the corresponding samAccountName.
来源:https://stackoverflow.com/questions/9036861/error-creating-a-user-with-more-than-20-chars-in-samaccountname-using-net