Rules for Active directory user name string

Solution 1:

Here are the documents you're looking for:

User and Group Accounts
Computers, Domains, Sites, and OUs

Basically, user names can contain a single quote character, but computer names cannot.

These documents are very old, but if that's the way it was in Win2000, you can bet current versions retain the limitations for backward compatibility.

Solution 2:

RFC 2253

The names of security principal objects can contain all Unicode characters except the special LDAP characters defined in RFC 2253. This list of special characters includes: a leading space; a trailing space; and any of the following characters: # , + " \ < > ;

Microsoft

Logon names can't contain certain characters. Invalid characters are

" / \ [ ] : ; | = , + * ? < >

Logon names can contain all other special characters, including spaces, periods, dashes, and underscores. But it's generally not a good idea to use spaces in account names.

Microsoft on sAMAccountName

  • All printable characters are allowed in sAMAccountName values except the following: " [ ] : ; | = + * ? < > / \ ,
  • The period character, ".", is allowed, but it cannot be the final character in the sAMAccountName.
  • Non-printable characters are not allowed. This includes all characters with ASCII codes less than 32 decimal (20 hex). Also the
    Delete control character, with ASCII code 127 decimal (7F hex) is not allowed.
  • Active Directory Users and Computers (ADUC) will not allow you to assign a value to the sAMAccountName attribute that includes the "@"
    character. However, you can do this in code. For example, the
    Set-ADUser cmdlet allows you to assign a sAMAccountName with this
    character. But you cannot logon to a domain using a sAMAccountName
    that includes the "@" character. If a user has a sAMAccountName with
    this character, they must logon using their userPrincipalName (UPN).
    See the note below.
  • The schema allows 256 characters in sAMAccountName values. However, the system limits sAMAccountName to 20 characters for user objects
    and 16 characters for computer objects.