Users inside an Active Directory domain can be identified by the following schema properties

  • sAMAccountName
  • userPrincipalName
  • GUID
  • Object SID
  • Distinguished Name
Use the user's GUID to track the same user. The use of any of the other attributes has drawbacks as soon as the environment gets more complex.

Properties

sAMAccountName

  • Inside a domain there can be only a unique sAMAccountName. It is not possible to have multiple users with the same sAMAccountName inside a single domain.
  • The same sAMAccountName can exist in multiple domains of the same Active Directory domain forest.
  • In Active Directory Users and Computers the sAMAccountName is the User logon name (pre-Windows 2000).

userPrinicipalName

  • The userPrinicipalName consists upon the username and its suffix. Both parts are separated by an '@' character.
  • There can only be a unique username part of the userPrincipalName. It is not possible to have the UPN my-username@test.ad AND my-username@some-other-upn-suffix.ad inside a single domain.
  • There can be the same UPN username with different UPN suffixes across domains of an Active Directory domain forest.
  • For an Active Directory domain there can be multiple suffixes defined (UPN suffixes).
  • The same UPN suffix has to be unique inside an Active Directory domain forest.
  • In Active Directory Users and Computers the userPrincipalName is the User logon name. The administrator can select one of the defined UPN suffixes.

GUID

  • A user's GUID is globally unique. Inside an Active Directory domain forest there will be no two users with the same GUID.
  • The GUID is not structured. You can not derive any information (like the user's parent domain) of this.
  • The GUID won't change during the lifetime of the user's AD object.

Object SID

  • The user's object SID is unique across domains in the Active Directory Forest.
  • The user's parent domain SID can be derived from the user's SID. See https://devblogs.microsoft.com/oldnewthing/20040315-00/?p=40253 for more details.
  • If a user is moved to a different domain, the object SID will change. The previous SID is [https://www.oreilly.com/library/view/active-directory-cookbook/0596004648/ch04s19.html#:~:text=You%20can%20move%20objects%20between,binds%20usually%20do%20not%20work](added to the sIDHistory attribute)

Distinguished Name

  • The distinguised name is unique across all user's of the Active Directory domain forest.

Relation between userPrincipalName and sAMAccountName

There is no relationship between both identifiers. The username part of userPrincipalName can be completely different from the sAMAccountName.

Login

Users can log-in with their userPrincipalName, sAMAccountName, dinstinguished name or GUID.