Users inside an Active Directory domain can be identified by the following schema properties
- Object SID
- Distinguished Name
- Inside a domain there can be only a unique sAMAccountName. It is not possible to have multiple users with the same sAMAccountName inside a single domain.
- The same sAMAccountName can exist in multiple domains of the same Active Directory domain forest.
- In Active Directory Users and Computers the sAMAccountName is the User logon name (pre-Windows 2000).
Microsoft has a detailed article about restrictions of the userPrincipalName.
- The userPrincipalName is not a mandatory attribute and can be empty. Empty UPNs are considered as bad practice. In case of NADI, empty userPrincipalNames are not supported.
- The Active Directory Users and Computers MMC does not allow having multiple user objects the same userPrincipalName. With code (e.g. PowerShell) you can enforce that multiple users are having the same userPrincipalName. Duplicate UPNS are considered as bad practice. NADI does not support multiple users having the same userPrincipalName.
- The userPrincipalName consists upon the username and its suffix. Both parts are separated by an ‘@’ character.
- There can be the same UPN username with different UPN suffixes across domains of an Active Directory domain forest.
- For an Active Directory domain there can be multiple suffixes defined (UPN suffixes).
- The same UPN suffix has to be unique inside an Active Directory domain forest.
- In Active Directory Users and Computers the userPrincipalName is the User logon name. The administrator can select one of the defined UPN suffixes.
- A user’s GUID is globally unique. Inside an Active Directory domain forest there will be no two users with the same GUID.
- The GUID is not structured. You can not derive any information (like the user’s parent domain) of this.
- The GUID won’t change during the lifetime of the user’s AD object.
- The user’s object SID is unique across domains in the Active Directory Forest.
- The user’s parent domain SID can be derived from the user’s SID. See https://devblogs.microsoft.com/oldnewthing/20040315-00/?p=40253 for more details.
- If a user is moved to a different domain, the object SID will change. The previous SID is added to the sIDHistory attribute
- The distinguised name is unique across all user’s of the Active Directory domain forest.
Relation between userPrincipalName and sAMAccountName
There is no relationship between both identifiers. The username part of userPrincipalName can be completely different from the sAMAccountName.
Users can log-in with their userPrincipalName, sAMAccountName, dinstinguished name or GUID.