UPN vs sAMAccountName

Discussion in 'Active Directory' started by Arild Bakken, May 3, 2004.

  1. Arild Bakken

    Arild Bakken Guest

    Hi,

    I work at a company where we have an Active Directory for shared hosting so
    we have many clients and all users are stored in the same active directory,
    and the same domain. The design is s superset of the shared hosting solution
    architecture that Microsoft has designed.

    One bad thing though was that we used the same value for Pre Windows 2000
    logon name as in UPN - both with the @ sign. In Windows 2003 Server the
    management tools won't let you use the @ sign in the Pre Windows 2000 logon
    name and we are in the process of renaming all users before we upgrade our
    servers. We will use this opportunity to redefine our naming standard.

    In that respect there is one thing we were wondering. What is the purpose of
    the user principal name login alternative, apart for giving the user an
    additional username to remember?

    I know of ONE smart thing with the UPN: You can use it to logon without
    having to select the correct domain in the domain dropdown box.

    Now, if that's the only good thing about it, I really don't see the point in
    using it. The user still has to know his Pre Windows 2000 logon name
    (sAMAccountName) since some applications don't support UPN; even Outlook
    2003 on Windows XP connected to Exchange doesn't - though it will be fixed
    in SP2 for Windows XP.

    I'm also a bit baffeled by the names of the username options:

    User logon name (UPN)
    Pre Windows 2000 logon name (sAMAccountName)

    Why is it called Pre Windows 2000 when it is still THE username that matters
    in Windows 2000?

    1. The USERNAME environment variable is the sAMAccountName
    2. Kerberos ticketing will use the sAMAcccountName, even when logging on
    with UPN
    3. It is required on user objects, even when AD is in native mode.

    Does the name indicate that it will be removed in later versions?

    Since we are going to rename all our users - I'm tempted to discard the UPN
    and not even mention to the users that it exists. If they have two
    usernames, you can bet they will use them at the wrong places and the number
    of calls to our service center will rise.


    Any thoughts on the matter are appreciated.


    Regards,

    Arild
     
    Arild Bakken, May 3, 2004
    #1
    1. Advertisements

  2. Arild Bakken

    Robert Moir Guest

    Have you read
    http://www.microsoft.com/resources/...rprise/proddocs/en-us/DomAdmin_upn_suffix.asp

    http://www.microsoft.com/windows2000/techinfo/planning/activedirectory/manadsteps.asp

    (urls probably wrapped to heck)

    Think of the UPN as a possible way of using shorthand for the domain name.

    For example, if you worked at my company, "Robert's Example Company Ltd."
    and your active domain account was held in the domain
    "London.UnitedKingdom.RobertsExampleCompany.com" you would soon get fed up
    logging on with the username
    , not to mention (as
    you mention it!) the support costs incurred from helpdesk support calls from
    people asking about whether theres a dot between "united" and "kingdom" or
    not in their user name!

    But we could set your UPN to be the same as your email address (nice and
    easy to remember) so you log on with the username
    which is much better for users to remember,
    less to type, and arguably better for security as it doesn't reveal your AD
    layout to someone who obtains an employee username (yes I know this last one
    is a bit lame, but security is one of those 'every little helps' kinda
    deals).


    --
    --
    Rob Moir, Microsoft MVP for servers & security
    Website - http://www.robertmoir.co.uk
    Virtual PC 2004 FAQ - http://www.robertmoir.co.uk/win/VirtualPC2004FAQ.html

    Kazaa - Software update services for your Viruses and Spyware.
     
    Robert Moir, May 3, 2004
    #2
    1. Advertisements

  3. Arild Bakken

    Arild Bakken Guest

    Well... this is kind of my point...

    Why would I want my users to enter their complete email address, or complete
    domain name when all they need to do is select the proper domain from the
    domain box, and enter "arildb" ?

    In fact, we host multiple customers and actually use a customer number as
    part of the username, so for me it would be something like 123456arba in the
    sAMAccountName field. That would give a UPN default to
    which is a useless login name. I could imagine
    putting: [email protected] as the UPN. That would give a short and easy to
    remember username (since all our users know their customer number), and they
    wouldn't have to select the correct domain (or add the domain name prefix
    for weblogin) - that is - for applications that support it.

    However - they would still need to know the value of the sAMAcconutName
    field due to applications that does not support UPN logon (like Outlook 2003
    on XP), and that's where the problems start. And that's why I don't see the
    use for UPN: it gives the user an extra username to remember, and it is
    longer that the sAMAccountName...

    And by the way, the remark about domain layout and security is far from
    lame. Security is a huge issue. We have some 300 customers in our shared AD
    with about 8000 users so we need to protect the data as much as we can.


    Arild
     
    Arild Bakken, May 3, 2004
    #3
  4. Arild Bakken

    Robert Moir Guest

    You might, as we do, have a custom GINA that doesn't show domains, which is
    fine when you only have one domain that users usually log into as you just
    make this the default and the users don't know anything other than to just
    type in their username. No need for it here, I agree.

    However, You might have no end of domains that contain user accounts, and
    users that travel often and therefore need to log on with account X from
    domain Y on a machine in domain Z. The fact that this would suggest poor or
    at least overly complex domain design for AD doesn't alter the fact that it
    happens in many places ;-). At this point, it starts becoming easier to say
    to the users "Type in your email address" than it does to say "Type in your
    username and then select your domain name from this drop down list of 23
    domains". Especially if the domains are not named in a manner that makes
    sense to the users.
    I think it might play a role for managed desktops. Again, users on my
    network never see the config settings on Outlook, this is scripted and
    managed with GPOs and so-on. I don't think there is a useful point for all
    people with UPNs, its more a case of "We've done this. If you want to use
    it, you can. If you don't, thats fine too."

    Another thing to consider is people who have migrated from netware are used
    to logging into a system in such a way, in different "contexts", so for
    someone who has migrated may find this helpful.
     
    Robert Moir, May 3, 2004
    #4
  5. Arild Bakken

    Arild Bakken Guest

    Hi,

    Thanx for all the input. I guess the question that we are stuck with is

    Will UPN be the primary login in future versions of Windows?

    I see the point you make with non-domain computers that require a SAM
    database. But perhaps in the future ADAM wil take over? I guess we'll just
    have to wait and see.

    As it stands now we will probably communicate to our users the UPN as their
    usernames. We do have apps that don't support UPNs. Very few (if any) of
    these use explicit username and password authentication, but use the
    username of the current user for authentication (well - rather mapping). So
    for the regular user it will be sufficient to know the UPN as long as our
    technicians have registered the SAM in the applications' userlist.


    Thanx again,

    Arild
     
    Arild Bakken, May 4, 2004
    #5
  6. Thanx for all the input. I guess the question that we are stuck with is
    I highly doubt it - it's *not* a mandatory property!

    Marc
    ================================================================
    Marc Scheuner May The Source Be With You!
    Bern, Switzerland m.scheuner(at)inova.ch
     
    Marc Scheuner, May 4, 2004
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.