User naming convention - Active Directory objects design and planning

Posted on 2008-02-09
Medium Priority
Last Modified: 2013-12-04
Hi Guys, need a bit of help with an AD design issue

Our Current scenario:

AD user login name 'firstname.lastname'
user email account; 'firstname.lastname@mail.com'
email display name: lastname, firstname

In case of duplicates found within domain:

New AD user login name 'firstname.lastname123'. Old account remains the same.
(numerical values are added infront of the new user account)
- user email account; 'firstname.lastname123@mail.com'
- email display name (GAL): lastname, firstname, middle initial (for both old and new user - mutually agreed)

Disadvantages of current convention:
 - Login accounts same as email IDs leads to a situation where looking at internally published email listing (intranet), it's easy to guess user's AD login account.
 - A malicious user can lead someone else's account to lock out condition by trying wrong password 5 times, as that's the 'Account lockout policy' setting, set domainwide.
 - Duplicates are not making much sense.

Any alternative suggestion to this naming convention that some of you guys follow within your resp. orgs !!??
Also, what could be the password reset policy? How does the user requests that his password has been lockedout/or in case S/he forgets his/her password and then in what ways does helpdesk securely and confidentially, informs the user of his/her resetted password details?
Question by:fahim
LVL 14

Accepted Solution

isaman07 earned 536 total points
ID: 20858216
Here is what i would do.
AD user login name 'firstletteroffirstname.lastname'
user email account; 'firstname.lastname@mail.com'
email display name: Whatever
Duplicates: However you wish
Lockout policies: 5 times 15min locking duration

But what i would like to add here, is to make sure that you have a strong password policy.
1.Enable password must meet complexity requirements
2.Enable password history, atleast 3
3.Enable Password age for 120 days
4.Minimum password length 7

As for password reset policy, you can assign randomly generated passwords to users that forget their passwords and you make sure that you check the user must change password at next login.
LVL 31

Assisted Solution

by:Toni Uranjek
Toni Uranjek earned 532 total points
ID: 20858834
Hi fahim,

There is only one naming convention which will prevent users from guessing other user's logon names, random generated names. Althoug I've seen such naming convention in production, I doubt that this is reasonable choice.

Other posibilities are:
firstname.lastname <-- will not acommodate duplicate user names issues, numbers or additional letters have to be added
lastnamefirstletteroffirstname <-- add second letter of firstnameto to logon name in case of duplicate user names
firstnamefirstletteroflastname <-- add second letter of lastname to logon name in case of duplicate user names

"Account lockout policy" setting is (IMHO, in general) misunderstood. It should be used to prevent brute force attacks on user passwords and not to increase costs of IT department. If you can put a price on one helpdesk call in your organization you will soon end up unreasonable maintance costs for unlocking accounts and reseting passwords.
"Account lockout policy" should be set to larger value (15 and up) , to prevent user from locking. Hackers will avoid brute force attacks such approach is too noisy and any attempt can be easily spotted in DC Security Event log. Of course there are other ways to obtain this kind information of information but it's against this site's policy to discuss such techniques. Users should be educated on how to use passwords properly, what are strong passwords, what are passphrases, etc.

In small environments I usually reset user's password if I know him/her personally and give new password over the phone. Please, understand, that this situation happens extremely rarely. In all other cases it is usualy user's manager who gets information about new password and the the manager passes information to user.


LVL 25

Assisted Solution

kieran_b earned 532 total points
ID: 20860416
RE: Lockouts, you could also buy a copy of myPassword for NameScape -> http://www.namescape.com <- then users can reset their own passwords

There isn't going to be anything you can do if you have problem users that want to lock people out, in some of the large orgs I work at, they don't have identifiable names like; ID816289 as the username (based on their employee code), or XXYYYZ00 (x=country, y=last name (3 letters), z=first initial, 00=identifier - so the 3rd joe bloggs in Italy would be ITBLOJ03

Even then, most folks will know another's ID number or username - it is better to weed those people out and discipline them (you can find out which machine locked the account out)

Expert Comment

ID: 21185875
Forced accept.

EE Admin

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In my humble opinion (IMHO), TouchDown from Symantec is the best in class for this type of application, but Symantec has end-of-lifed it and although one can keep using it, it will no longer be supported or upgraded.  Time to look for alternatives t…
This article explains how to move an Exchange 2013/2016 mailbox database and logs to a different drive.
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Whether it be Exchange Server Crash Issues, Dirty Shutdown Errors or Failed to mount error, Stellar Phoenix Mailbox Exchange Recovery has always got your back. With the help of its easy to understand user interface and 3 simple steps recovery proced…
Suggested Courses

598 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question