User naming convention - Active Directory objects design and planning
Posted on 2008-02-09
Hi Guys, need a bit of help with an AD design issue
Our Current scenario:
AD user login name 'firstname.lastname'
user email account; 'email@example.com'
email display name: lastname, firstname
In case of duplicates found within domain:
New AD user login name 'firstname.lastname123'. Old account remains the same.
(numerical values are added infront of the new user account)
- user email account; 'firstname.lastname@example.org'
- email display name (GAL): lastname, firstname, middle initial (for both old and new user - mutually agreed)
Disadvantages of current convention:
- Login accounts same as email IDs leads to a situation where looking at internally published email listing (intranet), it's easy to guess user's AD login account.
- A malicious user can lead someone else's account to lock out condition by trying wrong password 5 times, as that's the 'Account lockout policy' setting, set domainwide.
- Duplicates are not making much sense.
Any alternative suggestion to this naming convention that some of you guys follow within your resp. orgs !!??
Also, what could be the password reset policy? How does the user requests that his password has been lockedout/or in case S/he forgets his/her password and then in what ways does helpdesk securely and confidentially, informs the user of his/her resetted password details?