Value expansion in schema AD

Elazara Arbiv 161 Reputation points
2020-10-15T05:28:55.65+00:00

hello,
I want to set an entry in an AD schema with a name longer than 64 characters.
Are there any recommendations / risks what is the maximum value to expand the? Is there a maximum value?
What I have now is 6432524-com.png

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,445 questions
0 comments No comments
{count} votes

Accepted answer
  1. Vicky Wang 2,731 Reputation points
    2020-10-20T08:08:16.16+00:00

    Hi,
    Thank you for your update and patience

    Can not be changed, according to the explanation of the article, the maximum can only be 64
    Name Length Limits from the Schema
    Default limits on attribute names for Active Directory objects that are imposed by the schema include the following. These items provide examples of schema-limited name attributes:

    Display names are limited to 256 characters. For more information, see Display-Name Attribute (https://go.microsoft.com/fwlink/?LinkId=153705).

    Common names are limited to 64 characters. For more information, see Common-Name Attribute (https://go.microsoft.com/fwlink/?LinkId=153706).

    The SAM-Account-Name attribute (also known as the pre–Windows 2000 user logon name) is limited to 256 characters in the schema. However, for the purpose of backward compatibility the limit is 20 characters. For more information, see SAM-Account-Name Attribute (https://go.microsoft.com/fwlink/?LinkId=153707).

    reference:https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc756101(v=ws.10)?redirectedfrom=MSDN

    0 comments No comments

4 additional answers

Sort by: Most helpful
  1. Vicky Wang 2,731 Reputation points
    2020-10-15T09:08:13.647+00:00

    The following PowerShell will look at the schema's user class, grab its allowedAttributes attribute, then look up the definition of each attribute and return its rangeUpper value.

    Need the Microsoft AD PS module

    Import-Module ActiveDirectory

    Get the user class definition, include "allowedAttributes"

    $userClass = Get-ADObject -SearchBase ((Get-ADRootDSE).schemaNamingContext) -Filter { Name -eq "User" } -Properties allowedAttributes

    Walk the allowedAttributes array and sort into a table with "name" and "rangeUpper"

    $userClass.allowedAttributes |
    ForEach-Object { Get-ADObject -SearchBase ((Get-ADRootDSE).schemaNamingContext) -Filter { LDAPDisplayName -eq $_ } -Property rangeUpper } |
    Sort-Object Name |
    Format-Table -Property Name, rangeUpper

    If you want to only see defined "rangeUpper" values

    $userClass.allowedAttributes |
    ForEach-Object { Get-ADObject -SearchBase ((Get-ADRootDSE).schemaNamingContext) -Filter { LDAPDisplayName -eq $_ } -Property rangeUpper } |
    Where-Object { $_.rangeUpper } |
    Sort-Object Name |
    Format-Table -Property Name, rangeUpper

    0 comments No comments

  2. Elazara Arbiv 161 Reputation points
    2020-10-15T11:05:46.717+00:00

    Hello,
    You may not have been clear enough,
    I know how much my limitation - I found I have 64
    I want to know what the limit of the product is? How many characters can I change?

    0 comments No comments

  3. Elazara Arbiv 161 Reputation points
    2020-10-15T11:10:42.487+00:00

    And if you have a recommendation how many characters should you set? Or is it just according to the need of my organization

    0 comments No comments

  4. Vicky Wang 2,731 Reputation points
    2020-10-21T09:03:21.227+00:00

    Hi,
    I am glad to hear that your issue was successfully resolved.
    If there is anything else we can do for you, please feel free to post in the forum.
    Have a nice day!

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.