Go Premium for a chance to win a PS4. Enter to Win


enforce lowercase logon names in user accounts

Posted on 2013-01-11
Medium Priority
Last Modified: 2013-02-20
Is there a way to enforce the newly created usernames to be all lowercase?
Question by:ccilengiroglu
  • 2
LVL 26

Expert Comment

by:Leon Fester
ID: 38767004
None that I am aware of, but in Active Directory usernames are case insensitive, only Passwords are case sensitive.

To AD; username, USERNAME, UserName are all the same identifier.

There are tools available but they cost money, e.g. https://www.netiq.com/issues/data-integrity.asp
Other Identity and Access management tools offer similar capabilities.

Any reason for this request?

Expert Comment

ID: 38767213
Nothing to add; just to support the other expert's comment. The username is not case sensitive in either AD or on a Windows workstation. If your AD username is "joebloggs" you can still log in as "JOEBLOGGS".

Author Comment

ID: 38785919
but still we need it for single sign on with SAP which is case sensitive
LVL 26

Accepted Solution

Leon Fester earned 2000 total points
ID: 38786311
but still we need it for single sign on with SAP which is case sensitive.
This is still not an AD issue, because AD is not case sensitive.
SAP IS case sensitive and this is enforced by SAP.

Have a read through the following post...well actually just the last 2 sections about Microsoft.
*Sorry but I couldn't find something more useful on user creation and mapping.

Users need to be educated to know that SAP is case sensitive and that they should only use the correct CASE logins. What happens if a user uses the wrong case? They don't get authenticated.
So education outweights the efforts it's costing you to get this working.

To answer your question:
Is there a way to enforce the newly created usernames to be all lowercase?
YES, there are options for enforcing this

Option 1: EXPENSIVE, Long-term project, many stakeholders
install a Indentity and Access Management system (IAM) to manage and standardize the user creation tasks.

My Organization implemented Novell IAM for SSO for 8 different domains(Forest with 3 child domains, seperate DMZ, TEST domains), 3 different OS (Unix, Windows, AS/400).

Besides just providing SSO capabilities, we also wanted to standardize user creation, group membership and other tasks relating to user indentity and access.

Useful links for you to use in your investigation/motivation:

This is an expensive and time consuming project because you need to purchase a product and I woudl recommend professional services from the Vendor to assist you with configuration. Beside just installing the software, they need to spend some time with you on requirements gathering and testing.

I'm going to assume that since you're running SAP, your Organization probably does have some money. With the right motivation and justification you should be able to get this included in your next budget/special project budgets.

Option2: Still cost some $$$, but not as expensive as Option 1, Out of the box usage, minimum training and support required.
There are also other cheaper products that can also provide user creation and provisioning services with rules and templates to define creation requirements.
e.g. AD Manage Plus from ManageEngine

This application then replaces ADUC or other native AD tools for user creation.
And doesn't have the high financial requirements as a full IAM solution.

Option 3: The cheapest option with the easiest implementation, enforce and least cost.
Educate your service desk or whoever creates creating users to ONLY create users in lower-case.

If your IT department has a user creation policy that states how users are being created e.g. in lowercase only, and somebody doesn't comply...then there are consequences .e.g. disciplinary action.

You probably won't every enforce the disciplinary action over something like this but this methodology works well. If users are scared of breaking rules, knowing that there are consequences then they generally stick to those rules.

This leads me to another "AD management" issue...so what happens if a username is NOT created as per your policy? How would you trace back who created that user?

Solution: Either get a AD Change reporting so that you know who created user accounts.
Some suggestions from Microsoft:

Alternatively, extend/create additional user creation policies:
All users created based on a ticket number.
Ticket numbers to be included in AD fields, either the description field, adding a custom attribute to AD or use one of the 15 ExtensionAttributes already available in AD.

I hope this expands on my previous statement:
This is still not an AD issue, because option 3 ultimate provides the required result without any $$$'s spent, minimal changes to processes and procedures.

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

877 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question