New-ADUser -Name Length too long

Question

I need to add about 500 users to an OU in AD

I have scripted out everything I need, however, it gives the error: the name provided is not a properly formed

Here is the script

New-ADUser -Name C080CAB1-9756-409F-914D-AE3971F67DE7 -Path "OU=Staging,DC=domain,DC=local" -accountPassword (convertto-securestring "zagreb+scotch8355" -asplaintext -force) -PasswordNeverExpires $True -CannotChangePassword $false -Enabled $true

I ran a couple test to confime what the problem is:

New-ADUser -Name "C080CAB1-9756-409F-914D-AE3971F67DE7" -Path "OU=Staging,DC=domain,DC=local" -accountPassword (convertto-securestring "zagreb+scotch8355" -asplaintext -force) -PasswordNeverExpires $True -CannotChangePassword $false -Enabled $true

New-ADUser -Name 'C080CAB1-9756-409F-914D-AE3971F67DE7' -Path "OU=Staging,DC=domain,DC=local" -accountPassword (convertto-securestring "zagreb+scotch8355" -asplaintext -force) -PasswordNeverExpires $True -CannotChangePassword $false -Enabled $true

New-ADUser -Name C080CAB1`-9756`-409F`-914D`-AE3971F67DE7 -Path "OU=Staging,DC=domain,DC=local" -accountPassword (convertto-securestring "zagreb+scotch8355" -asplaintext -force) -PasswordNeverExpires $True -CannotChangePassword $false -Enabled $true

Along with a couple other variations

What did work:

New-ADUser -Name C080CAB1-9756-409F -Path "OU=Staging,DC=domain,DC=local" -accountPassword (convertto-securestring "zagreb+scotch8355" -asplaintext -force) -PasswordNeverExpires $True -CannotChangePassword $false -Enabled $true

So I think it may be a length issue but I'm not sure how to get the script to work.

Is there a reason you're using SID-like naming instead of regular names? — CIA, Sep 10 '14 at 22:20
The reason for the username being like that is because the application calls the users from different OU's and then runs the application pool for the site as that user. This is a for HIPPA complaint environment so the usernames should not be easily distinguished. That is the username format that has to be used. — Anthony Fornito, Sep 10 '14 at 22:51
For Pre-2000 compatibility, you're limited to 20 characters. I'm not sure what part of HIPPA you're trying to comply with, but I'm sure unless you're giving patient's access to your AD, there's no need for the naming structure you have. — CIA, Sep 10 '14 at 23:21
20 chars for [sAMAccountName](http://msdn.microsoft.com/en-us/library/ms679635\(v=vs.85\).aspx). You need a shorter long name. You can set a longer description and display name if you like. — Zoredache, Sep 11 '14 at 00:09
BTW you could almost get away with GUID represented to Base64. That would be ~24 chars. Do you really need a 128 bit unique ID? Chop off a few bits, and encode it the right way and you fit it in a 20 field. — Zoredache, Sep 11 '14 at 00:15
I just signed up , so cannot comment. Are there accounts "service accounts" in that they run an application pool. If so you might want to look at the new service accounts in windows server 2012 R2, they generate their own password and change them regularly without hurting the application pools on password change. The only other think I can think of is Kerberos constrained delegation, but that might be overkill. — Rob Allen, Sep 12 '14 at 15:23

score 13 · Accepted Answer · answered Sep 11 '14 at 18:06

Do you want to Display name to that 36 char string or the login to be the 36 char string

If you are using server 2012 R2 you can only set the display name to 20 char however the login name can be up to 64 char (I think) using "-UserPrincipalName"

Try this

New-ADUser -Name C080CAB1-9756-409F-9 -UserPrincipalName C080CAB1-9756-409F-914D-AE3971F67DE7 -Path "OU=Staging,DC=domain,DC=local" -accountPassword (convertto-securestring "zagreb+scotch8355" -asplaintext -force) -PasswordNeverExpires $True -CannotChangePassword $false -Enabled $true

This will create the display name and to truncate value of the -UserPrincipalName which will be the user login name for the user.

See the properties of any user to set the appropriate flags.

http://thenerdservice.com/useradd.png

You can see that the pre-200 login is truncated however the User login Name is not

http://thenerdservice.com/userlogin.png

Thanks this saved me so much time. Cool site by the way a lot of useful tools. — Anthony Fornito, Sep 11 '14 at 20:47

Ryan Ries · Answer 2 · 2014-09-11T00:20:04.573

20 character limit for sAMAccountName. No real way around it. What's funny is that there are 256 characters (~120 Unicode) reserved for it, but the Directory Services engine only lets you use 20.

Edit: Let me be a little more clear. You can have a Name that exceeds 20 characters, but not a sAMAccountName. That may suit your needs. Let me demonstrate:

New-ADUser C080CAB1-9756   # 20 character limit here

Rename-ADObject 'CN=C080CAB1-9756,CN=Users,DC=lab,DC=com

Get-ADUser C080CAB1-9756

DistinguishedName: CN=C080CAB1-9756-409F-914D-AE3971F67DE7,CN=Users,DC=lab,DC=com
Name             : C080CAB1-9756-409F-914D-AE3971F67DE7
SamAccountName   : C080CAB1-9756
DisplayName      :

New-ADUser -Name Length too long

2 Answers2