What do I need to be cautious of when changing a User Logon Name in Active Directory?

Question

I'm new to my current employer, being their only Sysadmin. I'm seeing a small handful of users who have User Logon Names which don't conform to the naming convention standard which majority of users are set to. This would be first name and first initial of last name. Some users have first name underscore last name. Needless to say, I'd like to make them conform to the standard.

Before making the change in Active Directory to adhere to the new standard, is there anything I need to be aware of that will help me as I make the change? Is there a good way and a bad way of making this change?

Looking for advice on the best practices when changing a User Logon Name.

Thank you in advance!

I think first initial, last name is a much better convention if your company is planning on having more than 100 employees. — , Jul 11 '13 at 18:31
@GreggLeventhal - I think that should just be the law, personally. — Evan Anderson, Jul 11 '13 at 22:08
@EvanAnderson, why?!? My org started with only 20 people in its Active Directory... which became 50... then 100... now well over 1500. I have more than 100 duplicates using pattern , and are fighting a constant battle with those duplicates (now with slight variation) getting mail for each other. I will never, ever, encourage any convention that doesn't include a non-name identifier (i.e., 'as2440' will always be unique, whereas 'astemen' introduces a lot of need for duplicate resolution). — aNullValue, Jul 13 '13 at 03:58
@Stemen - I find first initial, last name to be better than first name, last initial for allowing more users before collisions occur. Both will suffer from lots of collisions in large user bases-- I agree. I incorporate numeric elements, typically, for larger user bases. It's really painful when companies grow, as you're describing, because rarely does one *start* with a convention that includes numeric identifiers. (Some early employee gets the "JSmith@..." address.) — Evan Anderson, Jul 13 '13 at 04:21
@EvanAnderson - oh, yes. is definitely better than . Agree whole-heartedly. My originally comment was in response to your indication that should be the law -- I see that as short-sighted, since companies generally exist with the intent to grow. :) — aNullValue, Jul 13 '13 at 21:27

score 6 · Answer 1 · answered Jul 11 '13 at 17:23

6

A few things will need to be considered:

1) The users will have to log in with the new name and should be informed.

2) If they use Exchange, their email addresses will also change (I believe).

3) if they don't use Exchange but another email system, the authentication could potentially be mismatched and mapped incorrectly. This highly depends on your environment.

4) Again, environment-specific, but you also have to be mindful of any third-party apps that authenticate against AD. Some will behave fine; others will not.

The best way is to test with a single account and see what breaks. To me, it's not worth the hassle if it's not breaking anything.

Edit: Also, this could potentially break redirects if in-use and roaming profiles.

answered Jul 11 '13 at 17:23

Nathan C

15,059
4
43
62

Thanks for the response. :-) We use Exchange hosted internally. I don't believe their email address would change though as we do have an Email Address Policy in place which puts together their first name dot last name so should be fine as I won't be touching their First & Last Names in the AD. But in another environment that might change for sure, so thank you for mentioning it. Point #4 is a good one, as we do have a SAN and other devices which use our Active Directory for authentication. I'll have to check into this for sure to see if it will be a hindrance. Thanks again! :-) – Dustin Dauncey Jul 11 '13 at 17:27
I agree with the "If it ain't broke, don't fix it" philosophy herein. – NRGdallas Jul 11 '13 at 20:41
@NRGdallas It's generally a good philosophy. There are exceptions like everything else. Such as companies still embracing Windows 2000 because it works. :) – Nathan C Jul 12 '13 at 00:19
@NathanC by the very nature of your arguement, the only reason it is an exception is because being so dated it is less compatible, slower, or has other shortcomings, therefor, it does not work. – NRGdallas Jul 12 '13 at 21:46

score 3 · Answer 2 · answered Jul 11 '13 at 18:02

3

If their homeshare (or anything else in their profile) uses the username variable (like H: was mapped to \server\homeshare\$username), the directory will have to be renamed to match as well.

answered Jul 11 '13 at 18:02

mfinni

36,144
4
53
86

score 1 · Answer 3 · answered Jul 11 '13 at 18:57

Agree with above.

Changing a logon name doesn't change the behind-the-scenes identity - the account SID (Security ID). So, things like group membership, NTFS permissions, Etc., work fine.

This leaves non-technical things, such as consistency between systems, Etc.

For example, Microsoft Exchange references the "common name" (CN) of a user - this being the "name" that we're talking about above. However, it also maintains an "alias" - this is the bit before the @ of their default e-mail address. Finally, Exchange also has a "Display Name" field. All of this is held in AD.

So, changing the name of a mailbox user effectively changes their default SMTP address. You can add additional SMTP addresses to maintain backward compatibility with their old name. However, what if you need to re-use the old name for a new account. Again, this comes down to naming standards.

Finally, as mentioned above, home directories will [typically] use the name (common name) of a user, so may need un-sharing, renaming and re-sharing. Permissions will be fine, as mentioned above.

Finally, do you use any single-sign-on (SSO) between, say, AD and Linux, that requires an account-name match?

Home Directories and Roaming Profiles are created based on the SAMID (AKA Pre-Windows 2000 logon name) of the user account at the time of creation. If you change the SAMID then you can possibly confuse sysadmins in the future who wonder why Bob's home directory is C:\Users\Kate. — Greenstone Walker, Jul 11 '13 at 23:18

score 0 · Answer 4 · answered Jul 11 '13 at 17:26

0

Changing user logon name should not have any impact. It will not change permissions, membership of user ( because user's SID remains unchanged).

But some application can depend on user's former name, so checking one before make change to bulk users.

answered Jul 11 '13 at 17:26

cuonglm

2,386
2
16
20

Excellent, glad to hear that. I was worried about permissions in particular for things, so if that still sticks to all the shared folders they have access to then that's perfect. :-) – Dustin Dauncey Jul 11 '13 at 17:28

What do I need to be cautious of when changing a User Logon Name in Active Directory?

4 Answers4