Users inside an Active Directory domain can be identified by different properties like their
- object SID
- distinguished name
- The userPrinicipalName consists upon the username and its suffix. Both parts are separated by an '@' character.
- There can only be a unique username part of the userPrincipalName. It is not possible to have the UPN email@example.com AND firstname.lastname@example.org
- For an Active Directory domain there can be multiple suffixes defined (UPN suffixes).
- In Active Directory Users and Computers the userPrincipalName is the User logon name. The administrator can select one of the defined UPN suffixes.
- Inside a domain there can be only a unique sAMAccountName. It is not possible to have to multiple users with the same sAMAccountName.
- In Active Directory Users and Computers the sAMAccountName is the User logon name (pre-Windows 2000).
Relation between userPrincipalName and sAMAccountName
There is no direct relationship between both identifiers. The username part of userPrincipalName can be completely different from the sAMAccountName.
Users can log-in with their userPrincipalName or their sAMAccountName.