Windows Active Directory - special characters in username

active-directory

I have an AD user without special characters (Š = S with caron), for example myspecialuser. Why can I log in to windows using special characters in the username, myšpecialuser for example, even when it does not exist? How can I disable this behaviour?


Solution 1:

Microsoft did this on purpose. See this article: Microsoft diacritic mark

I also found this which answers your question directly, no you can't disable the behaviour.

Recently someone asked:

Can anyone point me to the document with list of allowed characters for AD username (W2K and W2K3)? I am also looking for document which describes behavior that some characters are replaced during logon process. Example: If my username is ddomjanovic I am also able to login with username ddomjanović. So it looks like ć (codepage 1250, E6 = U+0107 : LATIN SMALL LETTER C WITH ACUTE) is replaced with c (63 = U+0063 : LATIN SMALL LETTER C) during logon process.

Can this behavior be disabled?

I sort of answered that question in this post, but in a roundabout way. The short answer is No, there is no way to disable that behavior. The reason is that Active Directory passes the following flags:

NORM_IGNORECASE | NORM_IGNORENONSPACE | NORM_IGNOREWIDTH | NORM_IGNOREKANA

which means that there are many distinctions like this that are folded together.

Now as that other post stated, local accounts do not work through AD, so they take a more literal stand on things. You know, that whole "UpCase and Binary" thing that not only consider c (U+0063) and ć (U+0107) to be different letters, but which also considers ć (U+0107) and ć (U+0063 U+0301) to be different ones, too. Since the latter pair looks alike, it is obviously a solution that to a lot of people will be worse than the original problem!

Taken from: Sorting it all out

Solution 2:

I'm not sure you can. I have seen the same, but going the other way. The account was using a "special" character in its username, but the user could log using the "normalized" form of the user name.

One other strange thing we saw, was that on a disconnected computer (using cached credentials), the user name must be typed correctly, e.g. "normalization" only works when connected to the domain.

Sorry for not having a solution for you.

Related

How to show jenkins user's groups?
AWS Cloudformation - can't add multiple subnet associations to a public routing table
Apache producing lots of SSL-only errors even though the data in-browser seems fine
Hyper-V 2012 R2 on HP ProLiant DL380 G5? [closed]
OS X equivalents for Ubuntu's genisoimage and qemu-img
How can I set one hostname and IP for multiple MACs in DHCPd (isc-dhcpd-4.1.1-P1) on CentOS 6.x?
Is it ok to use self-signed certificates for smtp transport?
Linux: Lost internet while using vipw. How can I unlock the file?
Recycle Bin for Network Share
Telnet Results in "Connection closed by foreign host"
How to upgrade nginx from 1.2 to 1.6 on debian 7
When cron is completed How to get email notification and log in a file (both)