Users inside an Active Directory domain can be identified by the following schema properties

  • sAMAccountName
  • userPrincipalName
  • GUID
  • Object SID
  • Distinguished Name
Use the user's GUID to track the same user. The use of any of the other attributes has drawbacks as soon as the environment gets more complex.

Properties

sAMAccountName

  • Inside a domain there can be only a unique sAMAccountName. It is not possible to have multiple users with the same sAMAccountName inside a single domain.
  • The same sAMAccountName can exist in multiple domains of the same Active Directory domain forest.
  • In Active Directory Users and Computers the sAMAccountName is the User logon name (pre-Windows 2000).

userPrinicipalName

Microsoft has a detailed article about restrictions of the userPrincipalName.

  • The userPrincipalName is not a mandatory attribute and can be empty. Empty UPNs are considered as bad practice. In case of NADI, empty userPrincipalNames are not supported.
  • The Active Directory Users and Computers MMC does not allow having multiple user objects the same userPrincipalName. With code (e.g. PowerShell) you can enforce that multiple users are having the same userPrincipalName. Duplicate UPNS are considered as bad practice. NADI does not support multiple users having the same userPrincipalName.
  • The userPrincipalName consists upon the username and its suffix. Both parts are separated by an ‘@’ character.
  • There can be the same UPN username with different UPN suffixes across domains of an Active Directory domain forest.
  • For an Active Directory domain there can be multiple suffixes defined (UPN suffixes).
  • The same UPN suffix has to be unique inside an Active Directory domain forest.
  • In Active Directory Users and Computers the userPrincipalName is the User logon name. The administrator can select one of the defined UPN suffixes.

GUID

  • A user’s GUID is globally unique. Inside an Active Directory domain forest there will be no two users with the same GUID.
  • The GUID is not structured. You can not derive any information (like the user’s parent domain) of this.
  • The GUID won’t change during the lifetime of the user’s AD object.

Object SID

Distinguished Name

  • The distinguised name is unique across all user’s of the Active Directory domain forest.

Relation between userPrincipalName and sAMAccountName

There is no relationship between both identifiers. The username part of userPrincipalName can be completely different from the sAMAccountName.

Login

Users can log-in with their userPrincipalName, sAMAccountName, dinstinguished name or GUID.