User accounts in Active Directory have various attributes, among which there are two interesting attributes: samAccountName and UserPrincipalName (usually it is called UPN), the differences between which are not understood by many Windows administrators. In this article, we will take a look at the difference between the samAccountName and UserPrincipalName AD attributes.
The userPrincipalName and sAMAccountName attributes can be used to log a user into computers in the AD domain.
The samAccountName attribute was used in the pre-Windows 2000 environment and defined the user name to authorize on domain servers and workstations. However, in Windows 2000, the new attribute UserPrincipalName has appeared, which can also be used to log in to the AD workstations. So you can now authorize on a computer in the AD domain using both samAccountName or UserPrincipalName.
The samAccountName Attribute
The samAccountName attribute has the following format <YOUR_NETBIOS_DOMAIN_NAME>\<USER_name>. For example, my theitbros.com domain uses the NetBIOS domain name THEITBROS. Thus, the b.jackson username in the samAccountName format should look like this: THEITBROS\b.jackson.
Particulars of the samAccountName attribute:
- The size of the samAccountName value for a user should not exceed 20 characters due to backward compatibility (for a computer object, the maximum size of samAccountName is 16 characters). If the account name exceeds 20 characters, the user login name in the samAccountName attribute will be truncated;
- The value of samAccountName must be unique for all domain objects;
- The environment variable on a Windows computer %USERNAME% contains the samAccountName attribute value, not UserPrincipalName, even if you logged on to the computer using the UPN. The value of SamAccountName on the user’s computer can be obtained using the USERNAME environment variable. It can be displayed using the set command in cmd or using gci env: in PowerShell.
The UserPrincipalName Attribute
The format of the UserPrincipalName attribute differs from samAccountName. For example, for our AD environment described above, the value of the attribute of the user b.jackson for our domain would look like email@example.com.
Features of the UserPrincipalName attribute:
- The value of the UserPrincipalName attribute can correspond to the user’s e-mail (and this is extremely convenient during migrations, profile settings, etc.);
- The value of the samAccountName attribute must be unique in the entire domain forest;
- Identifier format conforms to RFC 822 standard;
- The maximum size of the UPN value is not limited to 20 characters (up to 256 characters can be used);
- The UserPrincipalName attribute, unlike samAccountName, is optional, but it is recommended to fill it.
When creating a new user in AD, you specify the value of the UserPrincipalName attribute in the “User logon name” and the value samAccountName in the “User logon name (pre-Windows 2000)” field.
You can change the values of this field in the future using the ADUC console in the user properties in the Account tab.