NET.EXE /ADD command does not support names longer than 20 characters

Symptoms

When you use the NET.EXE command together with the /ADD switch and long user or group names, this only redisplays the NET syntax. You receive no error message.

Example:


C:\>NET.EXE localgroup MyRemoteUsers "REMOTE INTERACTIVE LOGON" /ADD

The syntax of this command is:

NET LOCALGROUP [groupname [/COMMENT:"text"]] [/DOMAIN]
groupname {/ADD [/COMMENT:"text"] | /DELETE} [/DOMAIN]
groupname name [...] {/ADD | /DELETE} [/DOMAIN]
The same action does work with the GUI Computer Management, Local Users and Groups Microsoft Management Console (MMC).

Cause

The NET.EXE command does not support names longer than 20 characters for reasons of backward compatibility with LAN Manager 2.0.

For additional information about this LAN Manager 2.0 limitation, click the following article number to view the article in the Microsoft Knowledge Base:

131417 Windows NT global groups are limited to 20 character names

Resolution

If the graphical user interface (GUI) method cannot be used and a scripting method is required, use the Windows 2000 Resource Kit utility Cusrmgr.exe. Or, use VBScript, using an application programming interface (API) that supports names longer than 20 characters.

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

More Information

In the example in the "Symptoms" section of this article, use the following Cusrmgr.exe syntax:

C:\>CUSRMGR.EXE -u "REMOTE INTERACTIVE LOGON" -alg "MyRemoteUsers"
This issue may also occur with localized versions in which built-in groups exceed the 20 character name limit -- for example, with the German name for "Authenticated Users" (19 characters): "Authentifizierte Benutzer" (25 characters).

The following sample VBScript may be adapted and used as an additional workaround. It adds "Authenticated Users" to "Power Users" for the English and German version:

##### VBScript ADDGRP.VBS #####

On Error Resume Next

Dim oContainer
Dim oGroup
Dim oIADs

Dim oComputerInformation
Dim bolGroupSet
bolGroupSet = False

Set oComputerInformation = CreateObject("WScript.Network")

Set oContainer = GetObject("WinNT://" +
oComputerInformation.ComputerName) 'get the IADsContainer object for the local computer

oContainer.Filter = Array("Group") 'We only need to enumerate groups,
therefore the filter
For Each oIADs In oContainer 'for each IADs object we find there
If oIADs.Name = "Hauptbenutzer" Or oIADs.Name = "Power Users" Then
'check if it has the name "Power Users" or "Hauptbenutzer"

Set oGroup = oIADs 'If so put it into the IADsGroup object
oGroup.Add ("WinNT://S-1-5-11") 'add the group "Authenticated Users"
oGroup.SetInfo 'and save the info

If Err <> 0 Then 'if error number is not 0 (Error occurred)
MsgBox Err.Number, vbCritical, "AddGroup" 'print out the error message
Else 'if everything seems to be ok
bolGroupSet = True 'set the boolean value to True so we know the group was added
End If

End If
Next

If bolGroupSet = True Then 'if bolGroupSet is False there was nothing done
MsgBox "Group added successfully", vbInformation, "AddGroup"
Else
MsgBox "No action has taken place!", vbExclamation, "AddGroup"
End If

##### script end #####

Workaround

To work around this issue in Windows Server 2008 and later, use the Add-ADGroupMember PowerShell command, as described in the following TechNet article:

Add-ADGroupMember

Properties

Article ID: 324639 - Last Review: Jan 19, 2017 - Revision: 4

Feedback