locked
Sam account name and security identifier RRS feed

  • Question

  • What happens if I use the same SID for user I migrated from a domain A to domain B? What is the need for new SIDs?

    Why was UPN invented? Like what were the drawbacks of SAM that created UPN?

    Wednesday, August 29, 2018 8:19 AM

Answers

  • The SID is assigned by the system (Active Directory). You cannot modify or assign it. The part of the SID after the last dash character, "-", is called the Relative IDentifier (RID). The rest of the SID, before the last dash, is the same for all objects (users, groups, computers, etc.) you create in the domain. Only the RID differentiates objects in the domain. When objects are migrated to another domain, they get a new SID, so the part before the last dash matches the other objects in the new domain. Every object needs a unique SID so that it can be identified and granted permissions.

    The userPrincipalName (UPN) allows users to logon with a name that matches their email address. It is not required in Active Directory, and does not even need to be unique or in email format, unless the accounts are synchronized with Office 365, Azure, or Intune.

    The sAMAccountName must be unique in the domain (among all security principals), but need not be unique in the forest. The combination of NetBIOS name of the domain and the sAMAccountName is unique in the forest.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Wednesday, August 29, 2018 12:47 PM

All replies

  • SID is used to uniquely identify an account. You won't be able to tell one account from another if both have the same SID.

    I guess some of the logic behind transition to UPN is that samaccountname does not include information about which domain the account belongs to. the field is also limited to 20 chars. UPN makes it easier to exchange account information by including both  "domain local" account identifier and name of the domain/catalog that owns the account. In addition, UPN format confirms to RFC822 which makes it possible to use email address as user ID,  making it easier for the users to remember.

    For more information, please take a look at

    User Naming Attributes


    Gleb.

    Wednesday, August 29, 2018 11:05 AM
  • The SID is assigned by the system (Active Directory). You cannot modify or assign it. The part of the SID after the last dash character, "-", is called the Relative IDentifier (RID). The rest of the SID, before the last dash, is the same for all objects (users, groups, computers, etc.) you create in the domain. Only the RID differentiates objects in the domain. When objects are migrated to another domain, they get a new SID, so the part before the last dash matches the other objects in the new domain. Every object needs a unique SID so that it can be identified and granted permissions.

    The userPrincipalName (UPN) allows users to logon with a name that matches their email address. It is not required in Active Directory, and does not even need to be unique or in email format, unless the accounts are synchronized with Office 365, Azure, or Intune.

    The sAMAccountName must be unique in the domain (among all security principals), but need not be unique in the forest. The combination of NetBIOS name of the domain and the sAMAccountName is unique in the forest.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Wednesday, August 29, 2018 12:47 PM
  • Could you please elaborate on the domain.local and domain/catalog? And what do you mean by sam name does not include information about which domain the account belongs to? Domain/Samaccountname is the format of sam, so the domain name is present? Could you please elaborate?@Gleb

    Thursday, August 30, 2018 6:44 AM
  • <g class="gr_ gr_19 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling" data-gr-id="19" id="19">isnt</g> netbios+name= <g class="gr_ gr_36 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling" data-gr-id="36" id="36">samaccountname</g>? Why does it sound like two different things?@Richard Mueller

    Friday, August 31, 2018 5:25 AM
  • If a user has sAMAccountName (pre-Windows 2000 logon name) of "jsmith" in domain "mydomain.com", they can logon using any the following in the name field:

    1. jsmith
    2. mydomain\jsmith
    3. jsmith@mydomain.com

    The first works if the client computer is authenticated in mydomain.com. The other two work in all cases. But in addition, if the user has userPrincipalName "jimsmith@mydomain.com" they can logon with that. Or if their userPrincipalName is "jimsmith@otherdomain.com", then they can logon with that.

    Note: if there is a local account configured with the same name, "jsmith" in this case, then logging on simply as "jsmith" may result in an attempt to authenticate to the local client with the local account. In that case, the user must logon with the name "mydomain\jsmith" in order to authenticate to the domain. I have had this experience when I try to logon to the domain "Administrator" account, but the client has a local account with the same name.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    • Proposed as answer by Tim CerlingMVP Saturday, September 1, 2018 1:03 PM
    Friday, August 31, 2018 12:37 PM