SamAccountName and UserPrincipalName attributes

User accounts in Active Directory have various attributes, among which there are two interesting attributes: samAccountName and UserPrincipalName (usually it is called UPN), the differences between which are not understood by many Windows administrators. In this article, we will take a look at the difference between the samAccountName and UserPrincipalName AD attributes.

The userPrincipalName and sAMAccountName attributes can be used to log a user into computers in the AD domain.

The samAccountName attribute was used in the pre-Windows 2000 environment and defined the user name to authorize on domain servers and workstations. However, in Windows 2000, the new attribute UserPrincipalName has appeared, which can also be used to log in to the AD workstations. So you can now authorize on a computer in the AD domain using both samAccountName or UserPrincipalName.

The samAccountName Attribute

The samAccountName attribute has the following format <YOUR_NETBIOS_DOMAIN_NAME>\<USER_name>. For example, my domain uses the NetBIOS domain name THEITBROS. Thus, the b.jackson username in the samAccountName format should look like this: THEITBROS\b.jackson.

Particulars of the samAccountName attribute:

  • The size of the samAccountName value for a user should not exceed 20 characters due to backward compatibility (for a computer object, the maximum size of samAccountName is 16 characters). If the account name exceeds 20 characters, the user login name in the samAccountName attribute will be truncated;
  • The value of samAccountName must be unique for all domain objects;
  • The environment variable on a Windows computer %USERNAME% contains the samAccountName attribute value, not UserPrincipalName, even if you logged on to the computer using the UPN. The value of SamAccountName on the user’s computer can be obtained using the USERNAME environment variable. It can be displayed using the set command in cmd or using gci env: in PowerShell.

The UserPrincipalName Attribute

The format of the UserPrincipalName attribute differs from samAccountName. For example, for our AD environment described above, the value of the attribute of the user b.jackson for our domain would look like

Features of the UserPrincipalName attribute:

  • The value of the UserPrincipalName attribute can correspond to the user’s e-mail (and this is extremely convenient during migrations, profile settings, etc.);
  • The value of the samAccountName attribute must be unique in the entire domain forest;
  • Identifier format conforms to RFC 822 standard;
  • The maximum size of the UPN value is not limited to 20 characters (up to 256 characters can be used);
  • The UserPrincipalName attribute, unlike samAccountName, is optional, but it is recommended to fill it.

When creating a new user in AD, you specify the value of the UserPrincipalName attribute in the “User logon name” and the value samAccountName in the “User logon name (pre-Windows 2000)” field.


You can change the values of this field in the future using the ADUC console in the user properties in the Account tab.


You may also like:

AD Account Keeps Locking Out Sometimes there are situations when AD account keeps locking out, this happen when you try to log on to a domain computer and getting an error on the ...
Installing Active Directory Users and Computers MM... One of the main Active Directory domain management tools is the MMC snap-in Active Directory Users and Computers (ADUC). The ADUC snap-in is used to p...
How to transfer FSMO Roles From a Failed Domain Co... In case domain controller, which owns FSMO (Flexible Single Master Operation) roles, is fail (virus attack, fatal software problems or catastrophic ha...
Store BitLocker Recovery Keys using Active Directo... In a domain network, you can store the BitLocker recovery keys for encrypted drives in the Active Directory Domain Services (AD DS). This is one of th...
Change Default OU permissions in Active Directory By default, each newly created organizational unit (OU) in the access list includes read permission for the group Authenticated Users (built-in group)...
  1. Posted by Van Hallman

Add Your Comment