User naming convention - Active Directory objects design and planning

Hi Guys, need a bit of help with an AD design issue

Our Current scenario:

AD user login name 'firstname.lastname'
user email account; 'firstname.lastname@mail.com'
email display name: lastname, firstname

In case of duplicates found within domain:

New AD user login name 'firstname.lastname123'. Old account remains the same.
(numerical values are added infront of the new user account)
- user email account; 'firstname.lastname123@mail.com'
- email display name (GAL): lastname, firstname, middle initial (for both old and new user - mutually agreed)

Disadvantages of current convention:
 - Login accounts same as email IDs leads to a situation where looking at internally published email listing (intranet), it's easy to guess user's AD login account.
 - A malicious user can lead someone else's account to lock out condition by trying wrong password 5 times, as that's the 'Account lockout policy' setting, set domainwide.
 - Duplicates are not making much sense.

Any alternative suggestion to this naming convention that some of you guys follow within your resp. orgs !!??
Also, what could be the password reset policy? How does the user requests that his password has been lockedout/or in case S/he forgets his/her password and then in what ways does helpdesk securely and confidentially, informs the user of his/her resetted password details?
fahimAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

isaman07Commented:
Here is what i would do.
AD user login name 'firstletteroffirstname.lastname'
user email account; 'firstname.lastname@mail.com'
email display name: Whatever
Duplicates: However you wish
Lockout policies: 5 times 15min locking duration

But what i would like to add here, is to make sure that you have a strong password policy.
1.Enable password must meet complexity requirements
2.Enable password history, atleast 3
3.Enable Password age for 120 days
4.Minimum password length 7

As for password reset policy, you can assign randomly generated passwords to users that forget their passwords and you make sure that you check the user must change password at next login.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Toni UranjekConsultant/TrainerCommented:
Hi fahim,

There is only one naming convention which will prevent users from guessing other user's logon names, random generated names. Althoug I've seen such naming convention in production, I doubt that this is reasonable choice.

Other posibilities are:
firstname.lastname <-- will not acommodate duplicate user names issues, numbers or additional letters have to be added
lastnamefirstletteroffirstname <-- add second letter of firstnameto to logon name in case of duplicate user names
firstnamefirstletteroflastname <-- add second letter of lastname to logon name in case of duplicate user names

"Account lockout policy" setting is (IMHO, in general) misunderstood. It should be used to prevent brute force attacks on user passwords and not to increase costs of IT department. If you can put a price on one helpdesk call in your organization you will soon end up unreasonable maintance costs for unlocking accounts and reseting passwords.
"Account lockout policy" should be set to larger value (15 and up) , to prevent user from locking. Hackers will avoid brute force attacks such approach is too noisy and any attempt can be easily spotted in DC Security Event log. Of course there are other ways to obtain this kind information of information but it's against this site's policy to discuss such techniques. Users should be educated on how to use passwords properly, what are strong passwords, what are passphrases, etc.

In small environments I usually reset user's password if I know him/her personally and give new password over the phone. Please, understand, that this situation happens extremely rarely. In all other cases it is usualy user's manager who gets information about new password and the the manager passes information to user.

HTH

Toni
0
kieran_bCommented:
RE: Lockouts, you could also buy a copy of myPassword for NameScape -> http://www.namescape.com <- then users can reset their own passwords

There isn't going to be anything you can do if you have problem users that want to lock people out, in some of the large orgs I work at, they don't have identifiable names like; ID816289 as the username (based on their employee code), or XXYYYZ00 (x=country, y=last name (3 letters), z=first initial, 00=identifier - so the 3rd joe bloggs in Italy would be ITBLOJ03

Even then, most folks will know another's ID number or username - it is better to weed those people out and discipline them (you can find out which machine locked the account out)
0
Computer101Commented:
Forced accept.

Computer101
EE Admin
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.