Active Directory: Requirements For Creating Objects

Introduction

Certain requirements must be met when creating objects in Active Directory. These can be user accounts, groups, computers, or other classes of objects. This article documents some of these requirements. Errors will be raised if any of these requirements are not met. You can use this article to troubleshoot the possible problems. These requirements apply whether you create objects in the Active Directory Users and Computers MMC, in a script, or using command line utilities.

In this article:

All Classes of Objects

• You must have permissions in Active Directory to create the objects. You must either be a member of the built-in "Administrators" group, the "Account Operators" group or have been granted the specific permissions in Active Directory required for the class of objects you are creating.
• You must use the "Run as administrator" feature if your client is Windows Vista or above. Otherwise, normal user credentials will be used, which doesn't allow the creation of objects in Active Directory. For example, if you use a VBScript program to create users, start an elevated command prompt by right-clicking a shortcut to cmd.exe and selecting "Run as administrator".
• The Relative Distinguished Name (RDN) of the new object must be unique in the parent Organizational Unit or container. The parent OU/container is where the new object will reside in Active Directory. The RDN for the user, group, computer, contact, and container objects is the value of the cn attribute (the "Common Name"). The RDN of Organizational Unit objects is the value of the ou attribute.
• The Relative Distinguished Name (RDN) is limited to 64 characters.
• Certain characters in the Relative Distinguished Names of objects must be escaped using the backslash, "\, escape character. The characters that must be escaped are:
  , \ # + < > ; " =
  In addition, any leading or trailing spaces in the RDN must be escaped. If ADSI is used to create the objects, then the forward slash character, "/", must also be escaped. ADSI is used by VBScript and the [ADSI] and [ADSISearcher] accelerators in PowerShell. For example, if the Common Name of a new user created in a script is "Smith, James", you must specify "Smith\ James" when you create the object. If you use the Active Directory Users and Computers MMC, the system will escape any characters that need it for you.
• The PowerShell New-AD* cmdlets, such as New-ADUser, New-ADComputer, New-ADGroup, New-ADObject, and New-ADOrganizationalUnit, will automatically escape any characters required by Active Directory.

↑ Return to Top

Objects with sAMAccountName Attribute

• The value assigned to the sAMAccountName attribute (pre-Windows 2000 Name) must be unique in the domain.
• All printable characters are allowed in sAMAccountName values except the following:
  " [ ] : ; | = + * ? < > / \ ,
• The period character, ".", is allowed, but it cannot be the final character in the sAMAccountName.
• Non-printable characters are not allowed. This includes all characters with ASCII codes less than 32 decimal (20 hex). Also the Delete control character, with ASCII code 127 decimal (7F hex) is not allowed.
• Active Directory Users and Computers (ADUC) will not allow you to assign a value to the sAMAccountName attribute that includes the "@" character. However, you can do this in code. For example, the Set-ADUser cmdlet allows you to assign a sAMAccountName with this character. But you cannot logon to a domain using a sAMAccountName that includes the "@" character. If a user has a sAMAccountName with this character, they must logon using their userPrincipalName (UPN). See the note below.
• In Windows Server 2003 domains and above, if you do not assign a value for sAMAccountName, the system will create a semi-random value for you. This value will be similar to:
  $KJK000-H4GJL6AQOV1I
  In Windows 2000 Server Active Directory the sAMAccountName attribute is mandatory and an error is raised if you fail to assign a value before the object is saved to Active Directory.
• The schema allows 256 characters in sAMAccountName values. However, the system limits sAMAccountName to 20 characters for user objects and 16 characters for computer objects.

↑ Return to Top

Note Regarding the "@" Character in sAMAccountName

A user cannot logon using a sAMAccountName that includes the "@" character. ADUC will not allow you to assign a sAMAccountName with this character, but it can be done in code. For example, assume the sAMAccountName is "r@cameron" in a domain with DNS name "mydomain.com". If this user attempts to logon using either "r@cameron" or "mydomain\r@cameron", the system will respond with the message "the user name or password is incorrect". However, if the userPrincipalName (UPN) for this user is "rcameron@mydomain.com", they can logon with that name. Even if the UPN is "r@johnson@mydomain.com", they can logon successfully with that name. And if no userPrincipalName has been assigned to the user, they can always logon with their sAMAccountName, followed by the "@" character, following by the DNS name of the domain. This is a default UPN. So in this example, the user can always logon as "r@cameron@mydomain.com", whether they have a UPN or not.

↑ Return to Top

User Objects

• The value of the cn attribute is limited to 64 characters.
• The value of the sAMAccountName is limited to 20 characters.

↑ Return to Top

Computer Objects

• The value of the cn attribute is limited to 64 characters.
• The value of the sAMAccountName is limited to 20 characters if you assign the value in code. However, ADUC limits the sAMAccountName to 16 characters. In fact, the sAMAccountName should be the NetBIOS name of the computer with a trailing "$" character appended to the end. This in effect limits the NetBIOS name to 15 characters.
• The Fully Qualified Domain Name (FQDN) is limited to 64 characters. For example, the computer "MyComputer-1234" in the domain "Engr.WestRegion.NorthAmerica.Company.MyDomain.com", has FQDN "MyComputer-1234.Engr.WestRegion.NorthAmerica.Company.MyDomain.com". This is not allowed because the FQDN has 65 characters.
• If you use the Create method exposed by the IADsContainer interface and specify a class of "computer", but do not specify a value for userAccountControl, the new object will have class computer, but sAMAccountType will be 805306368 (appropriate for a user) and userAccountControl will have a value appropriate for a user, such as 546. You must assign a value to the userAccountControl attribute appropriate for a workstation or server. The system will then assign the correct value to sAMAccountType, which is 805306369.

↑ Return to Top

Group Objects

• The value of the cn attribute is limited to 64 characters.
• The value of the sAMAccountName attribute is limited to the value specified in the Schema, which by default is 256 characters.
• The groupType attribute of group objects is mandatory. If you create a group in the code you should assign a value appropriate for the type of group.

↑ Return to Top

Contact Objects

• The value of the cn attribute is limited to 64 characters.

↑ Return to Top

See Also

• Wiki: Active Directory Domain Services (AD DS) Portal           
• Wiki: Portal of TechNet Wiki Portals
• Active Directory: Glossary
• Active Directory: Characters to Escape
• Active Directory: Leading Spaces in Names

↑ Return to Top

Other Resources

• Active Directory Maximum Limits - Scalability
• User Naming Attributes

↑ Return to Top