Solved

enforce lowercase logon names in user accounts

Posted on 2013-01-11
4
889 Views
Last Modified: 2013-02-20
Is there a way to enforce the newly created usernames to be all lowercase?
0
Comment
Question by:ccilengiroglu
  • 2
4 Comments
 
LVL 26

Expert Comment

by:Leon Fester
ID: 38767004
None that I am aware of, but in Active Directory usernames are case insensitive, only Passwords are case sensitive.

To AD; username, USERNAME, UserName are all the same identifier.

There are tools available but they cost money, e.g. https://www.netiq.com/issues/data-integrity.asp
Other Identity and Access management tools offer similar capabilities.

Any reason for this request?
0
 
LVL 6

Expert Comment

by:arroryn
ID: 38767213
Nothing to add; just to support the other expert's comment. The username is not case sensitive in either AD or on a Windows workstation. If your AD username is "joebloggs" you can still log in as "JOEBLOGGS".
0
 

Author Comment

by:ccilengiroglu
ID: 38785919
but still we need it for single sign on with SAP which is case sensitive
0
 
LVL 26

Accepted Solution

by:
Leon Fester earned 500 total points
ID: 38786311
but still we need it for single sign on with SAP which is case sensitive.
This is still not an AD issue, because AD is not case sensitive.
SAP IS case sensitive and this is enforced by SAP.

Have a read through the following post...well actually just the last 2 sections about Microsoft.
http://www.saptechies.com/microsoft-windows-single-sign-on-options/
*Sorry but I couldn't find something more useful on user creation and mapping.

Users need to be educated to know that SAP is case sensitive and that they should only use the correct CASE logins. What happens if a user uses the wrong case? They don't get authenticated.
So education outweights the efforts it's costing you to get this working.

To answer your question:
Is there a way to enforce the newly created usernames to be all lowercase?
YES, there are options for enforcing this

Option 1: EXPENSIVE, Long-term project, many stakeholders
install a Indentity and Access Management system (IAM) to manage and standardize the user creation tasks.

My Organization implemented Novell IAM for SSO for 8 different domains(Forest with 3 child domains, seperate DMZ, TEST domains), 3 different OS (Unix, Windows, AS/400).

Besides just providing SSO capabilities, we also wanted to standardize user creation, group membership and other tasks relating to user indentity and access.

Useful links for you to use in your investigation/motivation:
http://www.novell.com/solutions/identity-and-access/
http://www.novell.com/docrep/2010/11/novell_identity_security_and_compliance_solutions_for_sap_en.pdf
http://www.novell.com/docrep/2011/02/simplify_sap_access_without_compromising_security_flyer_en.pdf
https://www.netiq.com/documentation/novellaccessmanager31/pdfdoc/identityserverhelp/identityserverhelp.pdf

This is an expensive and time consuming project because you need to purchase a product and I woudl recommend professional services from the Vendor to assist you with configuration. Beside just installing the software, they need to spend some time with you on requirements gathering and testing.

I'm going to assume that since you're running SAP, your Organization probably does have some money. With the right motivation and justification you should be able to get this included in your next budget/special project budgets.

Option2: Still cost some $$$, but not as expensive as Option 1, Out of the box usage, minimum training and support required.
There are also other cheaper products that can also provide user creation and provisioning services with rules and templates to define creation requirements.
e.g. AD Manage Plus from ManageEngine
http://www.manageengine.com/products/ad-manager/active-directory-management-automation/automated-active-directory-user-creation-provisioning.html

This application then replaces ADUC or other native AD tools for user creation.
And doesn't have the high financial requirements as a full IAM solution.

Option 3: The cheapest option with the easiest implementation, enforce and least cost.
Educate your service desk or whoever creates creating users to ONLY create users in lower-case.

If your IT department has a user creation policy that states how users are being created e.g. in lowercase only, and somebody doesn't comply...then there are consequences .e.g. disciplinary action.

You probably won't every enforce the disciplinary action over something like this but this methodology works well. If users are scared of breaking rules, knowing that there are consequences then they generally stick to those rules.

This leads me to another "AD management" issue...so what happens if a username is NOT created as per your policy? How would you trace back who created that user?

Solution: Either get a AD Change reporting so that you know who created user accounts.
Some suggestions from Microsoft:
http://pinpoint.microsoft.com/en-US/applications/search?q=Active%20Directory%20Change%20Reporter&fcrc=USA
http://pinpoint.microsoft.com/en-us/applications/active-directory-change-reporter-4294980367

Alternatively, extend/create additional user creation policies:
All users created based on a ticket number.
Ticket numbers to be included in AD fields, either the description field, adding a custom attribute to AD or use one of the 15 ExtensionAttributes already available in AD.

I hope this expands on my previous statement:
This is still not an AD issue, because option 3 ultimate provides the required result without any $$$'s spent, minimal changes to processes and procedures.
0

Join & Write a Comment

In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now