Windows Server 2016 Active Directory - Event 4768 - User unable to login

G.I.Jones 21 Reputation points
2022-08-22T21:18:04.973+00:00

Using a powershell script, I made a gang of user accounts for some students. Their user logon names were too long for some of them following this format (firstname.lastname.XXXX) - you can see how this could be longer than 20 characters for some people with long names.

This wasn't an issue at all for some years, as we never wanted them to log in to domain machines. We only needed them to have email addresses on our On-Prem Exchange Server (2016).

However, we were recently directed to install GoGuardian on these machines as we had too many students and not enough Chromebooks. So I set everything up for that, but forgot about the long names.

Today I got hit with a slurry of students that couldn't log in to the domain-joined computer labs, so starting with the first student, I renamed his user logon name to something under 20 characters.

Each logon attempt is met with "the password or username is not correct". I've reset the password on the user twice for good measure, and carefully typed the username in.

Event viewer on the DC shows Event 4768. I could not find any other Event ID's associated with this student's login, and I'm trying to figure out what is going on here.

I've double-checked Group Policy to ensure I didn't accidentally apply a policy to prevent anything, but shorter named students are able to log in just fine and all users share the same OU. All computers are in the same OU as each other as well.

I can login to OWA with the same credentials that won't work for domain login.

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
3,962 questions
Accepted answer
  1. Gary Reynolds 8,826 Reputation points
    2022-08-23T10:17:39.597+00:00

    Hi @G.I.Jones

    While the field will accept upto 256 character, the name is limited to 20 characters, this limit is to provide support for legacy OS, none of which probably have been in use for a few years. The alternative is to get the users to logon using their UPN rather than their SamAccountName which has a limit of 1025 characters i.e. firstname.lastname.XXXX@mydomain.com

    Gary.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. JimmySalian-2011 29,741 Reputation points
    2022-08-23T10:57:01.593+00:00

    Hi,

    Just to clarify are you using UPN (user logon name) or samaccountname to login to the devices?

    The samaccountname has 20 character limit and you can check the details over here - a-samaccountname

    This samaccountname attribute must be 20 characters or less to support earlier clients, and cannot contain any of these characters:

    "/ \ [ ] : ; | = , + * ? < >

    Example :
    Contoso\Joebloggs
    or
    The newer User Principal Name format that is comprised of the User Logon Name (not the legacy sAMAccountName) and the UPN Suffix assigned to the specific user account.
    Example :
    JoeBloggs@Company portal .local

    Also to confirm did you confirm the username and password does not have any special characters, try the account and password in the notepad just in case

    1 person found this answer helpful.