Pre 2000 帳號字元長度無法超過20個字元, 是否為系統限制? 可否調整?

  • Article

User Logon name(pre-Windows 2000)無法超過20個字元的限制是系統為了相容之前版本的設計,並且無法變更長度限制,變通作法即是以User Logon name(User Principal Name) 來登入,相關說明及建議作法請參考下列資料:

Explanation
===========
I would like to point out that in Windows 2000/above domain, there are two logon name: UPN name (user principal name) and SAMAccountName.

If you open the properties of a user in Active Directory users and Computer, go to the Account tab, you will get:
User logon name: username@domain.com (it is the UPN name.)
User logon name (pre-Windows 2000):domainNetbiosNameusername (it is the SAMAccountName.)
Both of the name can be used for logon. At the logon box, you may input the SAMaccountName and select the domain to login or directly input the UPN name without select the domain.

In addition, the user name in SAMaccountname can be different from the username in UPN name. However, the samaccountname and UPN name should be unique in the domain.
We can use more than 20 characters for the user name in UPN name, however we cannot use more than 20 characters in the SAMAccountName.

The SAMAccountName is backward compatible with pre-Microsoft Windows 2000-based servers, the maximum length on SAMAccountName is 20 characters due to LanManager and pre-windows 2000operating system compatibility. It is by design and cannot be changed.
How about if we use the long name for UPN name but shortname for samaccountname?
For example, when you add the users, you may use the UPN name as
123456789012345678901234567890@domain.com <mailto:123456789012345678901234567890@domain.com>.

Meanwhile, the samaccountname will be domain12345678901234567890.

At the logon box, we can use 123456789012345678901234567890@domain.com <mailto:123456789012345678901234567890@domain.com> to login or use 12345678901234567890 to login.

More Information
==============

- Active Directory naming
https://technet.microsoft.com/en-us/library/cc739093(WS.10).aspx

User accounts
In Active Directory, each user account has a user logon name, a pre-Windows 2000 user logon name (security account manager account name), and a UPN suffix. The administrator enters the user logon name and selects the UPN suffix when creating the user account. Active Directory suggests a pre-Windows 2000 user logon name using the first 20 bytes of the user logon name. Administrators can change the pre-Windows 2000 logon name at any time.

- Configure User and Resource Mailbox Properties
https://technet.microsoft.com/en-us/library/bb124255.aspx

User logon name (pre-Windows 2000)    Use this box to type a user name that is compatible with legacy versions of (prior to the release of Windows 2000 Server). The user logon name for a version of Windows earlier than Windows 2000 Server can't exceed 20 characters and can't contain any of the following characters: / [] : | <> + = ; ? , *.

When the user account is first created, this field is automatically populated based on the User logon name (User Principal Name) field.