locked
Username in Upper case or Small letter? RRS feed

  • Question

  • Dear Expert,<o:p></o:p>

    I face an issue probably you may have some solution for my problem.<o:p></o:p>

    I work for a big company,<o:p></o:p>

    The problem is we are going to use a Cloud application (SaaS) with SSO but <o:p></o:p>

    However due to limitations for federated applications we need to fetch the username from AD in upper case. but we have somehow mix username in our AD therefore we face some issue.<o:p></o:p>

     

    The Solution we have in place is following;<o:p></o:p>

     

    1) We need to change all the username in AD to Upper case<o:p></o:p>

    2) We need to ask service provider to support none case sensitive username in AD.<o:p></o:p>

    Before we choose above two solutions i need your feedback regarding below questions;<o:p></o:p>

     

    My question is what is the Microsoft recommended username? Upper case or small letter or doesn't matter none-case sensitive?<o:p></o:p>

    What is most common username for a Big company with 200 000 work force?<o:p></o:p>

    What is the future recommended username for Active Directory (AD) with Windows 2008R2 or 2012?<o:p></o:p>

    Will AD support E-mail Id as a username in order to login for domain and so on? <o:p></o:p>

    E.g Robert.Martin@company.com? <o:p></o:p>

    Thanks in Advance<o:p></o:p>

    Rans<o:p></o:p>


     

    Friday, December 7, 2012 2:09 PM

Answers

  • First, Active Directory is case aware, but not case sensitive. That means that AD saves values using the case you specify, such as "Jim Smith", but you can query for (or find) values using any case, such as "jim smith", "JIM SMITH", or "jiM sMiTh".

    Next, AD Users have several "Name" attributes:

    • The Common Name of the user, which is the value of the cn attribute (which does not uniquely identify the user and cannot be used to logon).
    • The "pre-Windows 2000 logon" name, which is the value of the sAMAccountName attribute. This can be used to logon, and probably is what you call logonname.
    • userPrincipalName (UPN), which is an email style name similar to <name>@mydomain.com. This can be used to logon.

    Even if the userPrincipalName attribute is not populated in AD, the user can always logon with a "default" UPN in the form <sAMAcccountName>@MyDomain.com, where <sAMAccountName> is the "pre-Windows 2000 logon" name of the user (sAMAccountName), and "MyDomain.com" is the DNS name of the domain. However, if the "mail" attribute of the user is populated (the field labeled "E-mail" on the "General" tab of ADUC), the user cannot logon with this value (unless it matches <sAMAccountName>@MyDomain.com).

    Finally, no matter what syntax you use to retrieve user information from AD, the values will always be returned in the case saved in AD. For example, if a user has sAMAccountName equal to "jsmith", and you query with the filter "(sAMAccountName=JSMITH)", you will find the user, but the value retrieved will be "jsmith". However, whatever value is retrieved, if code is involved, you could change the case in the code. This would seem preferable to changing the case of all sAMAccoutnName values in AD (although that can be done).


    Richard Mueller - MVP Directory Services

    • Proposed as answer by Ace Fekay [MCT] Friday, December 7, 2012 6:08 PM
    • Marked as answer by Cicely Feng Friday, December 14, 2012 3:03 AM
    Friday, December 7, 2012 4:21 PM
  • Nice explanation and write-up, Richard!

    I would like to add that DNS also falls under this category. If a machine name is all upper case, that's how DNS will honor the name as it appears and registers the hostname as it appears, but it doesn't affect resolution if you query it by lower or mixed case.

    For a domain or forest of 200,000 users is no problem. The max a domain can have 2.15 million. Here's more info:

    Active Directory Maximum Limits - Scalability
    http://technet.microsoft.com/en-us/library/active-directory-maximum-limits-scalability(v=ws.10).aspx


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    • Proposed as answer by Abhijit Waikar Friday, December 7, 2012 8:03 PM
    • Marked as answer by Cicely Feng Friday, December 14, 2012 3:03 AM
    Friday, December 7, 2012 6:16 PM
  • I'm glad to hear we answered your original question.

    .

    .

    Standardized AD usernames

    I don't believe there are any industry standards for an Active Directory username. There are length limits (quoted from: http://technet.microsoft.com/en-us/library/active-directory-maximum-limits-scalability(v=ws.10).aspx#BKMK_NameLimits):

    The SAM-Account-Name attribute (also known as the pre–Windows 2000 user logon name) is limited to 256 characters in the schema. However, for the purpose of backward compatibility the limit is 20 characters. For more information, see SAM-Account-Name Attribute (http://go.microsoft.com/fwlink/?LinkId=153707).

    .

    .

    Each company has a username format rules to follow when creating an account:

    Apparently your company has a requirement to make a username called xRobkar for the user's name "Robert Karlsson." Every company's requirements are different. Some companies make it the full firstname.lastname, firstinitial.lastname, and other combinations. And if you like, and not satisfied with your usernames, it can be changed, as the blog link below shows how, but that's something of course you would first notify the users before changing.

    Modifying DisplayName Firstname  Surname in Active Directory Users and Computers
    http://blogs.technet.com/b/janelewis/archive/2007/07/24/modifying-displayname-firstname-surname-in-active-directory-users-and-computers.aspx

    .

    .

    As I said, as far as I know, there is no industry standard for username length, format, etc, other than possibly a local government's security certification rules that require a minimum length or format. If interested in following your own local government security requirements, your government's website may have guidelines available.

    .

    .

    Automatically provisioning an account

    There are a number of ways to do it natively. For example, you can create a username template, with common attributes for a user role (such as sales, marketing, executive, etc).  One example when configuring the home folder attribute under the user's properties, Profile tab, you can use the %username% variable in the template, and when you copy the template for a new user, it will use the username (whether you chose it or automatically created it) to create the folder and control permissions. Example:
    \\serverName\users\%username%

    More info:

    How to Set Up Home Folders for User Accounts
    http://support.microsoft.com/kb/298403

    Managing user templates
    http://technet.microsoft.com/en-us/library/cc672149(v=ws.10).aspx

    .

    .

    And to automate everything above with the built in tools, requires a scripting solution, such as either an elaborate logon script, a script to create and set the attribute values (such as my example above), or a combination of both. There is nothing that I can think of that is a total out-of-the-box solution with the built-in tools.

    .

    .

    If you can use a third party solution to provision accounts.

    There are a few good ones out there that will help automate it, at a price, of course. Here are some examples from ManageEngine's AD tools (http://www.manageengine.com/windows-active-directory-tools.html):

    ManageEngine - ADManager Plus
    "ADManager Plus is an Active Directory management and reporting solution, which simplifies Active Directory to an extent that even a fifth grader can run IT department of a huge AD organization ..."
    http://www.manageengine.com/products/ad-manager/index.html

    ManageEngine - ADSelfService Plus -
    "A 4-in-1 turnkey solution that offers password self-service capabilities, a directory self-update utility, a password/account expiry notifier, and a corporate directory search ..."
    http://www.manageengine.com/products/self-service-password/index.html

    .

    .

    Hyena is another third party tool. A previous company I worked for used a combination of methods, including Hyena for AD useraccount administration and customized VB scripts, and later changed to custom PowerShell scripting. Here's info on Hyena:

    Hyena 9.2 - Total System Administration
    "Using the built-in Windows administration tools to manage a medium to large Windows 200x network or Active Directory environment can be a challenge. Add multiple domains, hundreds or thousands of servers, workstations, and users, and before you know it, things can get out of hand. Hyena is designed to both simplify and centralize nearly all of the day-to-day management tasks, while providing new capabilities ... "
    http://www.systemtools.com/hyena/

    .

    .

    Information on how to create logon scripts using PoweShell, VB, etc, here are some examples that you can search at the Technet "Scripting Guy" Repository of scripts:
    http://technet.microsoft.com/en-us/scriptcenter/bb410849.aspx

    If you have any questions on a script you've created and having problems getting it to work, you can post those questions at the Technet "Scripting Guy" Forum:
    http://social.technet.microsoft.com/Forums/en-US/ITCG/threads

    .


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBookTwitterLinkedIn


    • Edited by Ace Fekay [MCT] Sunday, December 9, 2012 8:10 AM - clarification and syntax
    • Marked as answer by Cicely Feng Friday, December 14, 2012 3:03 AM
    Sunday, December 9, 2012 8:00 AM

All replies

  • First, Active Directory is case aware, but not case sensitive. That means that AD saves values using the case you specify, such as "Jim Smith", but you can query for (or find) values using any case, such as "jim smith", "JIM SMITH", or "jiM sMiTh".

    Next, AD Users have several "Name" attributes:

    • The Common Name of the user, which is the value of the cn attribute (which does not uniquely identify the user and cannot be used to logon).
    • The "pre-Windows 2000 logon" name, which is the value of the sAMAccountName attribute. This can be used to logon, and probably is what you call logonname.
    • userPrincipalName (UPN), which is an email style name similar to <name>@mydomain.com. This can be used to logon.

    Even if the userPrincipalName attribute is not populated in AD, the user can always logon with a "default" UPN in the form <sAMAcccountName>@MyDomain.com, where <sAMAccountName> is the "pre-Windows 2000 logon" name of the user (sAMAccountName), and "MyDomain.com" is the DNS name of the domain. However, if the "mail" attribute of the user is populated (the field labeled "E-mail" on the "General" tab of ADUC), the user cannot logon with this value (unless it matches <sAMAccountName>@MyDomain.com).

    Finally, no matter what syntax you use to retrieve user information from AD, the values will always be returned in the case saved in AD. For example, if a user has sAMAccountName equal to "jsmith", and you query with the filter "(sAMAccountName=JSMITH)", you will find the user, but the value retrieved will be "jsmith". However, whatever value is retrieved, if code is involved, you could change the case in the code. This would seem preferable to changing the case of all sAMAccoutnName values in AD (although that can be done).


    Richard Mueller - MVP Directory Services

    • Proposed as answer by Ace Fekay [MCT] Friday, December 7, 2012 6:08 PM
    • Marked as answer by Cicely Feng Friday, December 14, 2012 3:03 AM
    Friday, December 7, 2012 4:21 PM
  • Nice explanation and write-up, Richard!

    I would like to add that DNS also falls under this category. If a machine name is all upper case, that's how DNS will honor the name as it appears and registers the hostname as it appears, but it doesn't affect resolution if you query it by lower or mixed case.

    For a domain or forest of 200,000 users is no problem. The max a domain can have 2.15 million. Here's more info:

    Active Directory Maximum Limits - Scalability
    http://technet.microsoft.com/en-us/library/active-directory-maximum-limits-scalability(v=ws.10).aspx


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    • Proposed as answer by Abhijit Waikar Friday, December 7, 2012 8:03 PM
    • Marked as answer by Cicely Feng Friday, December 14, 2012 3:03 AM
    Friday, December 7, 2012 6:16 PM
  • Thank You Sir,<o:p></o:p>

    Thanks for your nice explanation.<o:p></o:p>

    I have one more question regarding what will be the Industry standard username/logon name in 5-10 years.<o:p></o:p>

    E.g. today we have a system which automatically provisioning a username as a xRobkar for "Robert Karlsson" in AD.<o:p></o:p>

    so when "Robert Karlsson" login to company laptop with loginID "xrobkar" he will have Single Sign On access for all the applications used by company.<o:p></o:p>

    My question is will this type of login name/ user account name will change in near future? <o:p></o:p>

    Does Microsoft or any other has some smart solutions for for auto provisioning user accounts in AD?

    Thanks in Advance

    BR

    Rans

    Sunday, December 9, 2012 12:19 AM
  • Thank you so much sir!<o:p></o:p>

    As you can see above I’m also looking for Industry standard user accounts for AD....I meant, in 5-10 years.<o:p></o:p>

    I'm also looking for Microsoft integrated solution for User auto provisioning which you can connect to HR system.<o:p></o:p>

    E.g. when HR folks add new employee details in their system then it should automatically provision user account in AD.<o:p></o:p>

    I hope you understood my question.<o:p></o:p>

    Thanks in Advance for your kind answer.<o:p></o:p>

    BR<o:p></o:p>

    Rans<o:p></o:p>

    Sunday, December 9, 2012 12:26 AM
  • Hi,

    For User provisioning, Identity and Access Management (IAM) is the way to go.

    There are a lot of tools for that.

    You can have a look at FIM 2010 R2 : http://www.microsoft.com/en-us/server-cloud/forefront/identity-manager.aspx

    Regards,

    Sunday, December 9, 2012 7:50 AM
  • I'm glad to hear we answered your original question.

    .

    .

    Standardized AD usernames

    I don't believe there are any industry standards for an Active Directory username. There are length limits (quoted from: http://technet.microsoft.com/en-us/library/active-directory-maximum-limits-scalability(v=ws.10).aspx#BKMK_NameLimits):

    The SAM-Account-Name attribute (also known as the pre–Windows 2000 user logon name) is limited to 256 characters in the schema. However, for the purpose of backward compatibility the limit is 20 characters. For more information, see SAM-Account-Name Attribute (http://go.microsoft.com/fwlink/?LinkId=153707).

    .

    .

    Each company has a username format rules to follow when creating an account:

    Apparently your company has a requirement to make a username called xRobkar for the user's name "Robert Karlsson." Every company's requirements are different. Some companies make it the full firstname.lastname, firstinitial.lastname, and other combinations. And if you like, and not satisfied with your usernames, it can be changed, as the blog link below shows how, but that's something of course you would first notify the users before changing.

    Modifying DisplayName Firstname  Surname in Active Directory Users and Computers
    http://blogs.technet.com/b/janelewis/archive/2007/07/24/modifying-displayname-firstname-surname-in-active-directory-users-and-computers.aspx

    .

    .

    As I said, as far as I know, there is no industry standard for username length, format, etc, other than possibly a local government's security certification rules that require a minimum length or format. If interested in following your own local government security requirements, your government's website may have guidelines available.

    .

    .

    Automatically provisioning an account

    There are a number of ways to do it natively. For example, you can create a username template, with common attributes for a user role (such as sales, marketing, executive, etc).  One example when configuring the home folder attribute under the user's properties, Profile tab, you can use the %username% variable in the template, and when you copy the template for a new user, it will use the username (whether you chose it or automatically created it) to create the folder and control permissions. Example:
    \\serverName\users\%username%

    More info:

    How to Set Up Home Folders for User Accounts
    http://support.microsoft.com/kb/298403

    Managing user templates
    http://technet.microsoft.com/en-us/library/cc672149(v=ws.10).aspx

    .

    .

    And to automate everything above with the built in tools, requires a scripting solution, such as either an elaborate logon script, a script to create and set the attribute values (such as my example above), or a combination of both. There is nothing that I can think of that is a total out-of-the-box solution with the built-in tools.

    .

    .

    If you can use a third party solution to provision accounts.

    There are a few good ones out there that will help automate it, at a price, of course. Here are some examples from ManageEngine's AD tools (http://www.manageengine.com/windows-active-directory-tools.html):

    ManageEngine - ADManager Plus
    "ADManager Plus is an Active Directory management and reporting solution, which simplifies Active Directory to an extent that even a fifth grader can run IT department of a huge AD organization ..."
    http://www.manageengine.com/products/ad-manager/index.html

    ManageEngine - ADSelfService Plus -
    "A 4-in-1 turnkey solution that offers password self-service capabilities, a directory self-update utility, a password/account expiry notifier, and a corporate directory search ..."
    http://www.manageengine.com/products/self-service-password/index.html

    .

    .

    Hyena is another third party tool. A previous company I worked for used a combination of methods, including Hyena for AD useraccount administration and customized VB scripts, and later changed to custom PowerShell scripting. Here's info on Hyena:

    Hyena 9.2 - Total System Administration
    "Using the built-in Windows administration tools to manage a medium to large Windows 200x network or Active Directory environment can be a challenge. Add multiple domains, hundreds or thousands of servers, workstations, and users, and before you know it, things can get out of hand. Hyena is designed to both simplify and centralize nearly all of the day-to-day management tasks, while providing new capabilities ... "
    http://www.systemtools.com/hyena/

    .

    .

    Information on how to create logon scripts using PoweShell, VB, etc, here are some examples that you can search at the Technet "Scripting Guy" Repository of scripts:
    http://technet.microsoft.com/en-us/scriptcenter/bb410849.aspx

    If you have any questions on a script you've created and having problems getting it to work, you can post those questions at the Technet "Scripting Guy" Forum:
    http://social.technet.microsoft.com/Forums/en-US/ITCG/threads

    .


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBookTwitterLinkedIn


    • Edited by Ace Fekay [MCT] Sunday, December 9, 2012 8:10 AM - clarification and syntax
    • Marked as answer by Cicely Feng Friday, December 14, 2012 3:03 AM
    Sunday, December 9, 2012 8:00 AM