Any difference between DOMAIN\username and [email protected]?

I'm trying to troubleshoot an obscure authentication error and need some background information.

  • Is there any difference between how Windows (and programs like Outlook) process DOMAIN\username and [email protected]?

  • What are the proper terms for these two username formats?

  • Edit: In particular, are there any differences in how Windows authenticates the two username formats?


Assuming you have an Active Directory environment:

I believe the backslash format DOMAIN\USERNAME will search domain DOMAIN for a user object whose SAM Account Name is USERNAME.

The UPN format username@domain will search the forest for a user object whose User Principle Name is username@domain.

Now, normally a user account with a SAM Account Name of USERNAME has a UPN of USERNAME@DOMAIN, so either format should locate the same account, at least provided the AD is fully functional. If there are replication issues or you can't reach a global catalog, the backslash format might work in cases where the UPN format will fail. There may also be (abnormal) conditions under which the reverse applies - perhaps if no domain controllers can be reached for the target domain, for example.

However: you can also explicitly configure a user account to have a UPN whose username component is different from the SAM Account Name and whose domain component is different from the name of the domain.

The Account tab in Active Directory Users and Computers shows the UPN under the heading "User logon name" and the SAM Account Name under the heading "User logon name (pre-Windows 2000)". So if you are having trouble with particular users I would check that there aren't any discrepancies between these two values.

Note: it is possible that additional searches are done if the search I describe above doesn't find the user account. For example, perhaps the specified username is converted into the other format (in the obvious way) to see if that produces a match. There must also be some procedure for finding accounts in trusted domains that are not in the forest. I don't know where/whether the exact behaviour is documented.

Just to further complicate troubleshooting, Windows clients will by default cache information about successful interactive logons, so that you may be able to log into the same client even if your user account information in the Active Directory is inaccessible.


I may get corrected on this, but there's not really much of a difference.

Domain\User is the "old" logon format, called down-level logon name. Also known by the names SAMAccountName and pre-Windows 2000 logon name.

[email protected] is a UPN - User Principal Name. It's the "preferred", newer logon format. It's an Internet-style login name, that should map to the user email name. (Ref. at MSDN)

The reasons for logging in with UPNs I think are mostly cosmetic - they hypothetically give your users in your company a single name with which to log on to their workstations which can also act as their corporate email address.

edit: More elaboration - another advantage of UPNs is that you can setup more than one valid UPN for your users to logon with. Again, largely cosmetic. But the important thing is that not all applications are compatible with UPNs, and that might be what you're experiencing.

edit #2: I like Harry Johnston's answer below about the two slightly different search formats performed. It makes sense, and most importantly it might actually explain your problem. :)


The slashed format (DOMAIN\username) is actually the NetBIOS equivalent of the domain's DNS name (domain.mycompany.local).
The NetBIOS name is limited to 15 characters and cannot contain dots, underscores etc.

This page explains in more detail:

  • Jeff Schertz, 2012-08-20, Understanding Active Directory Naming Formats

As mentioned by @harry-johnston above, its really just the old NT4 and Windows 2000 compatible format but it seems to have stuck as a favorite format (its less to type!). Eventually, support for the legacy format may go from Windows.

It's probably a good idea to get users into the habit of using the UPN format as it also avoids issues where they are having problems to log in to a PC with their username and don't realise that the Windows login box has defaulted to the local PC domain (eg. pc01\fred) or when they connect to different remote desktop hosts and have to remember to include the domain as well as their username because the Remote Desktop Client may cache another previously used domain name. Sticking to the UPN format every time just makes for less support calls in the end.