Remove 20-character restriction on group member name in net localgroup
After a Nano Server is added to an Active Directory domain, a specific domain group usually needs to be added to the local administrators group. Since Nano Server does not support Group Policy, this must be done imperatively.
On a normal server, the following tools can be used to manipulate local group membership from PowerShell:
- ADSI (the WinNT provider)
- System.DirectoryServices.AccountManagement classes
- net.exe (net localgroup)
Of those three, only net localgroup is avaliable on Nano. However, it suffers from a crippling limitation - the group member name length is limited to 20 characters. In an AD environment where long, descriptive group names are used (e.g. DL-ServerAdministration-Site1), this leaves us with no builtin tools to add such a domain group to local administrators on Nano.
The limitation is described in this KB article: https://support.microsoft.com/en-us/kb/324639. The KB article cites compatibility with Lan Manager 2.0 as the reason - surely in Nano Server this compatibility can be safely broken?