enforce lowercase logon names in user accounts

Posted on 2013-01-11
Last Modified: 2013-02-20
Is there a way to enforce the newly created usernames to be all lowercase?
Question by:ccilengiroglu
  • 2
LVL 26

Expert Comment

by:Leon Fester
ID: 38767004
None that I am aware of, but in Active Directory usernames are case insensitive, only Passwords are case sensitive.

To AD; username, USERNAME, UserName are all the same identifier.

There are tools available but they cost money, e.g.
Other Identity and Access management tools offer similar capabilities.

Any reason for this request?

Expert Comment

ID: 38767213
Nothing to add; just to support the other expert's comment. The username is not case sensitive in either AD or on a Windows workstation. If your AD username is "joebloggs" you can still log in as "JOEBLOGGS".

Author Comment

ID: 38785919
but still we need it for single sign on with SAP which is case sensitive
LVL 26

Accepted Solution

Leon Fester earned 500 total points
ID: 38786311
but still we need it for single sign on with SAP which is case sensitive.
This is still not an AD issue, because AD is not case sensitive.
SAP IS case sensitive and this is enforced by SAP.

Have a read through the following post...well actually just the last 2 sections about Microsoft.
*Sorry but I couldn't find something more useful on user creation and mapping.

Users need to be educated to know that SAP is case sensitive and that they should only use the correct CASE logins. What happens if a user uses the wrong case? They don't get authenticated.
So education outweights the efforts it's costing you to get this working.

To answer your question:
Is there a way to enforce the newly created usernames to be all lowercase?
YES, there are options for enforcing this

Option 1: EXPENSIVE, Long-term project, many stakeholders
install a Indentity and Access Management system (IAM) to manage and standardize the user creation tasks.

My Organization implemented Novell IAM for SSO for 8 different domains(Forest with 3 child domains, seperate DMZ, TEST domains), 3 different OS (Unix, Windows, AS/400).

Besides just providing SSO capabilities, we also wanted to standardize user creation, group membership and other tasks relating to user indentity and access.

Useful links for you to use in your investigation/motivation:

This is an expensive and time consuming project because you need to purchase a product and I woudl recommend professional services from the Vendor to assist you with configuration. Beside just installing the software, they need to spend some time with you on requirements gathering and testing.

I'm going to assume that since you're running SAP, your Organization probably does have some money. With the right motivation and justification you should be able to get this included in your next budget/special project budgets.

Option2: Still cost some $$$, but not as expensive as Option 1, Out of the box usage, minimum training and support required.
There are also other cheaper products that can also provide user creation and provisioning services with rules and templates to define creation requirements.
e.g. AD Manage Plus from ManageEngine

This application then replaces ADUC or other native AD tools for user creation.
And doesn't have the high financial requirements as a full IAM solution.

Option 3: The cheapest option with the easiest implementation, enforce and least cost.
Educate your service desk or whoever creates creating users to ONLY create users in lower-case.

If your IT department has a user creation policy that states how users are being created e.g. in lowercase only, and somebody doesn't comply...then there are consequences .e.g. disciplinary action.

You probably won't every enforce the disciplinary action over something like this but this methodology works well. If users are scared of breaking rules, knowing that there are consequences then they generally stick to those rules.

This leads me to another "AD management" what happens if a username is NOT created as per your policy? How would you trace back who created that user?

Solution: Either get a AD Change reporting so that you know who created user accounts.
Some suggestions from Microsoft:

Alternatively, extend/create additional user creation policies:
All users created based on a ticket number.
Ticket numbers to be included in AD fields, either the description field, adding a custom attribute to AD or use one of the 15 ExtensionAttributes already available in AD.

I hope this expands on my previous statement:
This is still not an AD issue, because option 3 ultimate provides the required result without any $$$'s spent, minimal changes to processes and procedures.

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question