Description
In Active Directory based environment, everyone should come across the AD attribute names samAccountName and userPrincipalName or UPN. In this article, I am going to explain the difference between samAccountName and userPrincipalName(UPN).
The samAccountName is the User Logon Name in Pre-Windows 2000 (this does not mean samAccountName is not being used as Logon Name in modern windows systems). The userPrincipalName is a new way of User Logon Name from Windows 2000 and later versions. user Name part can be different for the same user like DomainNametestUser and [email protected].
Before see the detailed explanation, we can check the summarized details of userPrincipalName and samAccountName.
SamAccountName
– The samAccountName attribute is the user logon name used to support clients and servers from a previous version of Windows ( Pre-Windows 2000).
– The user logon name format is : DomainName\testUser.
– The samAccountName must be unique among all security principal objects within the domain.
– The samAccountName should be less than 20 characters.
– Query for the new name against the domain to verify that the samAccountName is unique in the domain.
– The USERNAME environment variable is the samAccountName even when logging with UPN
UserPrincipalName – (UPN)
– The UPN is an Internet-style login name for the user based on the Internet standard RFC 822.
– The user logon name format is : [email protected].
– The UPN must be unique among all security principal objects within the directory forest.
– The advantage of using an UPN is that it can be the same as the users email address so that the user need to remember only a single name.
– The UPN is optional, it can be assigned or not when the user account is created.
– The userPrincipalName is unaffected by changes to other attributes of the user object, for example, if the user is renamed or moved, or changes to the domains in the tree, for example, if a parent domain was renamed or a domain was moved. Thus, a user can keep the same login name, although the directory may be radically restructured.
Working with samAccountName and userPrincipalName
Lets take the following test user whose samAccountName is Test2 and userPrincipalName is [email protected]
Now, we can use the RunAs command to validate these two user logon names. To use RunAs command, you need to run the command prompt with an elevated privilege (Run As Administrator) and the Test user should be the member of Domain Admins group.
Use the below command to validate samAccountName login name
C:> RunAs /user:work2008\Test2 cmd
Use the below command to validate userPrincipalName login name
C:> RunAs /user:[email protected] cmd
USERNAME environment variable is the sAMAccountName even when logging with UPN:
We have stated that the USERNAME environment variable is the sAMAccountName even when logging with UPN. To check this run the below command in new cmd window opened by RunAs command with userPrincipalName
C:Windowssystem32> Set UserName
Thanks,
Morgan
Software Developer
Good Post. thanks
Is there an environment variable for the UPN?
No julien, as for as I know, there is no build-in environment variable for upn.
What a horrible mess.
I only started looking at this after weird authentication issues using an AD service account in UNIX
The "clever" person who created used a . (dot) in the middle of the name for UPN but a , (comma) for the sAMAccountName
Maybe there was a good reason in the distant past for backwards compatibility and NT4 –> 2000 migrations to let them differ. But surely Microsoft could enforce them to be the same nowadays?
it's quite the opposite..
windows is bending / breaking kerberos rules, while it's linux and Kerberos which is still stuck in the past.
As you stated @anonymous you ran into trouble with a Linux / unix acct. Kerberos requires the older sAMAccountName while newer windows products are able to use a UPN or name@domain type account
I love it whenever people come together and share ideas. Great website, stick with it!
Do you mind if I quoote a coupl of your posts as
long as I provide credit and sources bck to your blog?
My blog is in the very same nichbe as yours and my visitors wouuld certainly benefit from a lot of the information you present here.
Please llet me know if this ok with you. Regards!
Yes it is acceptable as long as if you are not copying lot of content from my post.
thanks for sharing.
Hello, I read your blog daily. Your writing style is awesome,
keep it up!
I am having issue with the followin LDAP Context DN Settings , I wanted to use UPN for my authentication, Any suggestions
SECURITY_PRINCIPAL=userPrincipalName={userinput}
SEARCH_FILTER=userPrincipalName={userinput}
SEARCH_BASE=dc=test,dc=com
SECURITY_GROUP=Sales
Nice explanation.
Thanks for the information, i am bookmarking it for future updates.
Under SamAccountName, shouldn’t:
The user logon name format is : DomainNametestUser.
be
The user logon name format is : DomainName\testUser.
Also there seems to be the same descrepancy between the command to validate samAccountName login:
C:> RunAs /user:work2008Test2 cmd
and what’s shown in the screenshot of the command window:
C:> RunAs /user:work2008\Test2 cmd
Thank you. Updated now.
“The samAccountName should be less than 20 characters” should be
“The samAccountName should be less than or equal to 20 characters” ?
SAM-Account-Name attribute – Win32 apps | Microsoft Learn
https://learn.microsoft.com/en-us/windows/win32/adschema/a-samaccountname