Skip Ribbon Commands
Skip to main content

Identity Management at CERN

:

Identity Management at CERN > Posts > Maximum length of attributes in Active Directory
June 30
Maximum length of attributes in Active Directory
Running some AD export tests, I got some constraint-violation errors. Clicking on the error did not provide more meaningful details: the error message was "a value for the attribute was not in the acceptable range of values", but it was not specified which attribute was out of range.
 
Looking at the objects causing the exception, I discovered that all of them had the same value for the company attribute, and that this value was longer than 64 characters, which is the upper limit for the company attribute in AD.
Here is a small PowerShell script to get the maximum length of an AD attribute:
param ([string]$attributeName = $(throw "Specify attribute name"))
$rootDSE=[ADSI]"LDAP://RootDSE"
$attribute=[ADSI]"LDAP://CN=$attributeName,CN=Schema,CN=Configuration,$($rootDSE.defaultNamingContext)"
if ($attribute.rangeUpper -eq $null) {
    "no limit"
} else {
    $attribute.rangeUpper
}
 
At this point, I just had to modify my export flow from 'company -> company' to 'Left(company,63) -> company'.
Note that I'm taking the first 63 - and not 64 - characters of the attribute, as the maximum length includes a null terminating character.

Comments

Active Directory Maximum Limits

 on 15/03/2011 09:06 PM

SAMACcount Name

It doesn't work with samaccountname
 on 21/06/2012 11:16 AM

Awsome!

Nice and easy way to check against schema!
 on 05/03/2013 10:50 AM