Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


enforce lowercase logon names in user accounts

Posted on 2013-01-11
Medium Priority
Last Modified: 2013-02-20
Is there a way to enforce the newly created usernames to be all lowercase?
Question by:ccilengiroglu
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
LVL 26

Expert Comment

by:Leon Fester
ID: 38767004
None that I am aware of, but in Active Directory usernames are case insensitive, only Passwords are case sensitive.

To AD; username, USERNAME, UserName are all the same identifier.

There are tools available but they cost money, e.g.
Other Identity and Access management tools offer similar capabilities.

Any reason for this request?

Expert Comment

ID: 38767213
Nothing to add; just to support the other expert's comment. The username is not case sensitive in either AD or on a Windows workstation. If your AD username is "joebloggs" you can still log in as "JOEBLOGGS".

Author Comment

ID: 38785919
but still we need it for single sign on with SAP which is case sensitive
LVL 26

Accepted Solution

Leon Fester earned 2000 total points
ID: 38786311
but still we need it for single sign on with SAP which is case sensitive.
This is still not an AD issue, because AD is not case sensitive.
SAP IS case sensitive and this is enforced by SAP.

Have a read through the following post...well actually just the last 2 sections about Microsoft.
*Sorry but I couldn't find something more useful on user creation and mapping.

Users need to be educated to know that SAP is case sensitive and that they should only use the correct CASE logins. What happens if a user uses the wrong case? They don't get authenticated.
So education outweights the efforts it's costing you to get this working.

To answer your question:
Is there a way to enforce the newly created usernames to be all lowercase?
YES, there are options for enforcing this

Option 1: EXPENSIVE, Long-term project, many stakeholders
install a Indentity and Access Management system (IAM) to manage and standardize the user creation tasks.

My Organization implemented Novell IAM for SSO for 8 different domains(Forest with 3 child domains, seperate DMZ, TEST domains), 3 different OS (Unix, Windows, AS/400).

Besides just providing SSO capabilities, we also wanted to standardize user creation, group membership and other tasks relating to user indentity and access.

Useful links for you to use in your investigation/motivation:

This is an expensive and time consuming project because you need to purchase a product and I woudl recommend professional services from the Vendor to assist you with configuration. Beside just installing the software, they need to spend some time with you on requirements gathering and testing.

I'm going to assume that since you're running SAP, your Organization probably does have some money. With the right motivation and justification you should be able to get this included in your next budget/special project budgets.

Option2: Still cost some $$$, but not as expensive as Option 1, Out of the box usage, minimum training and support required.
There are also other cheaper products that can also provide user creation and provisioning services with rules and templates to define creation requirements.
e.g. AD Manage Plus from ManageEngine

This application then replaces ADUC or other native AD tools for user creation.
And doesn't have the high financial requirements as a full IAM solution.

Option 3: The cheapest option with the easiest implementation, enforce and least cost.
Educate your service desk or whoever creates creating users to ONLY create users in lower-case.

If your IT department has a user creation policy that states how users are being created e.g. in lowercase only, and somebody doesn't comply...then there are consequences .e.g. disciplinary action.

You probably won't every enforce the disciplinary action over something like this but this methodology works well. If users are scared of breaking rules, knowing that there are consequences then they generally stick to those rules.

This leads me to another "AD management" what happens if a username is NOT created as per your policy? How would you trace back who created that user?

Solution: Either get a AD Change reporting so that you know who created user accounts.
Some suggestions from Microsoft:

Alternatively, extend/create additional user creation policies:
All users created based on a ticket number.
Ticket numbers to be included in AD fields, either the description field, adding a custom attribute to AD or use one of the 15 ExtensionAttributes already available in AD.

I hope this expands on my previous statement:
This is still not an AD issue, because option 3 ultimate provides the required result without any $$$'s spent, minimal changes to processes and procedures.

Featured Post

 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let's recap what we learned from yesterday's Skyport Systems webinar.
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question