none
samAccountName and user logon name. Different methods of logon

    Question

  • I have a user called testuser. samAccountName is testuser1 and user logon name is testuser2. domain is domain1.com.

    Now I can logon to a machine using the following names.

    testuser1, testuser2@domain1.com, domain1.com\testuser2, testuser1@domain1.com, domain1.com\testuser1.

    testuser2@domain1.com is the userPrincipalName. So it is possible to use that name for logon. Domain1.com\logonname is also understandable.

    But testuser1@domain1.com is not a UPN, but it is in the format of a userPrincipalName. When I use the sAMAccountName@domain.com, how was I able to logon. Which attribute or names are checked in the AD database when I use this particular method of logon?

    Also, I know when I log in to a logged out account, the logon request is processed in the DC. But what happens when I log in to a locked out account? where the log in request is processed?

    The reason why I am asking this is, when I set logon hours to a user and the logon hours is expired for that user, the user is restricted only after he logs out. Not when the user is locked. But when a user enters wrong password to log on to a locked account and reaches the account lockout threshold, the account gets locked out according to the account policy. So how passwords for a user are verified when a user logs in after a log off and account lock.


    Thanks and Regards, Radhakrishnan

    Monday, June 18, 2012 11:49 AM

Answers

All replies

  • Wow, you did a good job of complicating this question.  :-)

    I am using an educated guess on the first question:
    "When I use the sAMAccountName@domain.com, how was I able to logon"
    What is going on is the the domain "domain.com" is stripped from the upn and the name is handed off to the Local Security Authority Subsystem Service (LSASS) to verify the user Id.  Once it finds a match it authenticates the account.  Why specifically it allows you to enter this way is some what of a rules violation since, you are correct.  It isn't the defined UPN for this security principal.

    You can only log onto an account that isn't locked out.  If you work in a large domain and there are DC's that are seperated by large replication values and all DC's haven't been informed yet of the lockout you can log onto the domain, it does happen.
    http://technet.microsoft.com/en-us/library/cc775412(v=WS.10).aspx

    Urgent and Immediate Replication explained
    http://blogs.dirteam.com/blogs/paulbergson/archive/2011/04/06/active-directory-replication-types.aspx

    Since Active Directory uses Kerberos, when an account is locked or logon hours have expired, the local system isn't notified.  The next time the users attempts to gain access to a new service (SQL, File share, etc...), the user will not be granted since the TGT won't grant the new ticket.

    --
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    http://blogs.dirteam.com/blogs/paulbergson  Twitter @pbbergs
    Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.

    Monday, June 18, 2012 12:14 PM
  • This is by design , By default user can login with sAMAccountName@domain.com (in your case testuser2@domain1.com).

    By default KDC is responisble for user account lookup in AD , Refer below MS KB

    http://support.microsoft.com/kb/929272

    Same discussion is in below thread

    http://social.technet.microsoft.com/Forums/en-GB/winserverDS/thread/9a739918-a9dd-4fea-acd4-387126343402

    Hope this information helps to narrow down the problem

    Regards,

    _Prashant_


    MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Monday, June 18, 2012 12:19 PM
  • Sorry for the question.

    Lock out (windows key + L). The user himself locks the account. Now when the user logs on to this account, where the logon request is processed?

    Because when a user logs on after pressing windows key + L, the logon Hours that I had set doesn't take effect. For example, I set the logon Hours permitted for a user as 10 AM to 7 PM. The user continues to work until 8 PM. Locks the account using windows key + L and takes a break. when the user logs in to the account at 8:30 PM, the logon Hours restriction doesn't work. But if the same user had logged off at 8 PM and then tried to login at 8:30 PM, the time restriction error message would have been displayed and the user won't be able to log on until 10 AM the next morning.


    Thanks and Regards, Radhakrishnan

    Monday, June 18, 2012 12:45 PM
  • Radhakrishnan,

     I think Paul has already answered your question. Please refer his post

    Regards,

    _Prashant_


    MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.


    Monday, June 18, 2012 1:08 PM