What do I need to be cautious of when changing a User Logon Name in Active Directory?

windows user-management user-accounts active-directory

I'm new to my current employer, being their only Sysadmin. I'm seeing a small handful of users who have User Logon Names which don't conform to the naming convention standard which majority of users are set to. This would be first name and first initial of last name. Some users have first name underscore last name. Needless to say, I'd like to make them conform to the standard.

Before making the change in Active Directory to adhere to the new standard, is there anything I need to be aware of that will help me as I make the change? Is there a good way and a bad way of making this change?

Looking for advice on the best practices when changing a User Logon Name.

Thank you in advance!


A few things will need to be considered:

1) The users will have to log in with the new name and should be informed.

2) If they use Exchange, their email addresses will also change (I believe).

3) if they don't use Exchange but another email system, the authentication could potentially be mismatched and mapped incorrectly. This highly depends on your environment.

4) Again, environment-specific, but you also have to be mindful of any third-party apps that authenticate against AD. Some will behave fine; others will not.

The best way is to test with a single account and see what breaks. To me, it's not worth the hassle if it's not breaking anything.

Edit: Also, this could potentially break redirects if in-use and roaming profiles.


If their homeshare (or anything else in their profile) uses the username variable (like H: was mapped to \server\homeshare\$username), the directory will have to be renamed to match as well.


Agree with above.

Changing a logon name doesn't change the behind-the-scenes identity - the account SID (Security ID). So, things like group membership, NTFS permissions, Etc., work fine.

This leaves non-technical things, such as consistency between systems, Etc.

For example, Microsoft Exchange references the "common name" (CN) of a user - this being the "name" that we're talking about above. However, it also maintains an "alias" - this is the bit before the @ of their default e-mail address. Finally, Exchange also has a "Display Name" field. All of this is held in AD.

So, changing the name of a mailbox user effectively changes their default SMTP address. You can add additional SMTP addresses to maintain backward compatibility with their old name. However, what if you need to re-use the old name for a new account. Again, this comes down to naming standards.

Finally, as mentioned above, home directories will [typically] use the name (common name) of a user, so may need un-sharing, renaming and re-sharing. Permissions will be fine, as mentioned above.

Finally, do you use any single-sign-on (SSO) between, say, AD and Linux, that requires an account-name match?

Related

What is msrpc needed for on a Windows 7 workstation
Do you need a GC online to DCPromo?
Microsoft Exchange Add-in is causing 'form region could not be opened'
Upgrade issue from Debian Server Squeeze 6 to Wheezy 7 - still on kernel 2.6
chown with numeric arguments
Active directory rename - root to sub domain
Setup NTP on Debian
How to install SOAP extension on PHP-FPM 5.5.6 - dependency issue
Can't seem to run Apache 2.2 on Ubuntu 10.10 (Maverick Meerkat)
Radeon HD 3670 on Dell XPS16 laptop. Are 3 monitors possible?
Outdoor WiFi mesh topology vs. repeaters
How can I install gcj on Linux?