Directory Services

User Naming Attributes

As with other directory objects, a user object has names in the form of cn, name, distinguishedName, and objectGUID properties. Be aware that a user's relative distinguished name (RDN) is the value of the cn property. These properties can be viewed and managed by the Active Directory User and Computers snap-in.

Because a user object is a security principal, it has the following additional naming properties.

Property Description
userPrincipalName (User-Principal-Name) The userPrincipalName is a single-valued and indexed property that is a string that specifies the user principal name (UPN) of the user. The UPN is an Internet-style login name for the user based on the Internet standard RFC 822. The UPN is shorter than the distinguished name and easier to remember. By convention, this should map to the user's e-mail name. The point of the UPN is to consolidate the e-mail and logon namespaces so that the user need only remember a single name.

The UPN is the preferred logon name for Windows 2000 users. Users should be using their UPNs to log on to the domain. At logon time, a UPN is validated first by searching the local domain, then the global catalog. Failure to find the UPN in the local domain or the GC results in rejection of the UPN.

The UPN can be assigned, but is not required, when the user account is created. When assigned, the UPN is unaffected by changes to other properties of the user object, for example, if the user is renamed or moved, or changes to the domains in the tree, for example, if a parent domain was renamed or a domain was moved. Thus, a user can keep the same login name, although the directory may be radically restructured. Be aware that the UPN can be changed administratively at any time.

The UPN is a string property that can contain any string value. However, the following scheme is recommended.

The user principal name has two parts: the UPN prefix (the user account name) and the UPN suffix (a DNS domain name). The parts are joined together by the at sign (@) symbol to make the complete UPN. For example, the user Someone who has an account in the Example domain would have a UPN of someone@example.com.

The UPN must be unique among all security principal objects within the directory forest. By default (that is, for the built-in user accounts and user accounts created using the Active Directory Users and Computers snap-in), the UPN can consist of any name for the user (such as the sAMAccountName property of the user) and the domain tree name to which the user belongs in the following form:

Name@treeName

The treeName is the domain name system (DNS) name of a domain, but is not required to be the name of the domain containing the user. However, the treeName portion of the UPN must be the name of a domain in the current forest or an alternate name listed in the upnSuffixes property of the Partitions container within the Configuration container. You can add or remove UPN suffixes by modifying the upnSuffixes property (or by choosing Properties for the root node of the Active Directory Domains and Trusts and modifying the UPN suffixes on the UPN Suffixes tab). Usually, the treeName is the name of the first domain in the first tree of the forest. In most cases, this domain name is the domain name registered as the enterprise domain on the Internet. The treeName is formatted by binding to the rootDSE on any domain in the forest, reading the RootDomainNamingContext attribute, and then transforming this from DC format (dc=fabrikam,dc=com) to the UPN format (fabrikam.com) using the ADSI IADsNameTranslate interface.

When creating a new user object, you should check the local domain and the global catalog for the proposed name to ensure it does not already exist.

objectGUID (Object-GUID) The objectGUID property is a single-valued property that is the unique identifier for the object. This property is a Globally Unique Identifier (GUID). When an object is created in the directory, Active Directory generates a GUID and assigns it to the object's objectGUID property. The GUID is unique across the enterprise and anywhere else.

The objectGUID is a 128-bit GUID structure stored as an OctetString.

Because an object's distinguished name changes if the object is renamed or moved, the distinguished name is not a reliable identifier for an object. In Active Directory, an object's objectGUID property is never changed, even if the object is renamed or moved to different places. Be aware that you can retrieve the string form of the objectGUID using the IADs::get_GUID method.

sAMAccountName (SAM-Account-Name) The sAMAccountName property is a single-valued property that is the logon name used to support clients and servers from a previous version of Windows (such as Windows NT® 4.0 and earlier, Windows 95, Windows 98, and LAN Manager). The sAMAccountName should be less than 20 characters to support these clients and servers.

The sAMAccountName must be unique among all security principal objects within the domain.

Query for the new name against the domain to verify that the sAMAccountName is unique in the domain.

The sAMAccountName must be unique among all security principal objects within a domain container.

objectSid (Object-Sid) The objectSid property is a single-valued property that specifies the security identifier (SID) of the user. The SID is a unique value used to identify the user as a security principal. It is a binary value that is set by the system when the user is created.

Each user has a unique SID issued by a Windows 2000 domain and stored in objectSid property of the user object in the directory. Each time a user logs on, the system retrieves the user's SID from the directory and places it in the user's access token. The user's SID is also used to retrieve the SIDs for the groups of which the user is a member and places them in the user's access token. The system uses the SIDs in the user's access token to identify the user and his/her group memberships in all subsequent interactions with Windows NT security.

When a SID has been used as the unique identifier for a user or group, it cannot be used again to identify another user or group.

sIDHistory (SIDHistory) The sIDHistory property is a multi-valued property that contains previous SIDs used for the user object if the user was moved from another domain. When a user is moved from one domain to another, a new SID is created and that new SID becomes the objectSID. The previous SID is added to the sIDHistory property, that contains the SIDs from the user's previous domain moves.