enforce lowercase logon names in user accounts

Is there a way to enforce the newly created usernames to be all lowercase?
Who is Participating?
Leon FesterSenior Solutions ArchitectCommented:
but still we need it for single sign on with SAP which is case sensitive.
This is still not an AD issue, because AD is not case sensitive.
SAP IS case sensitive and this is enforced by SAP.

Have a read through the following post...well actually just the last 2 sections about Microsoft.
*Sorry but I couldn't find something more useful on user creation and mapping.

Users need to be educated to know that SAP is case sensitive and that they should only use the correct CASE logins. What happens if a user uses the wrong case? They don't get authenticated.
So education outweights the efforts it's costing you to get this working.

To answer your question:
Is there a way to enforce the newly created usernames to be all lowercase?
YES, there are options for enforcing this

Option 1: EXPENSIVE, Long-term project, many stakeholders
install a Indentity and Access Management system (IAM) to manage and standardize the user creation tasks.

My Organization implemented Novell IAM for SSO for 8 different domains(Forest with 3 child domains, seperate DMZ, TEST domains), 3 different OS (Unix, Windows, AS/400).

Besides just providing SSO capabilities, we also wanted to standardize user creation, group membership and other tasks relating to user indentity and access.

Useful links for you to use in your investigation/motivation:

This is an expensive and time consuming project because you need to purchase a product and I woudl recommend professional services from the Vendor to assist you with configuration. Beside just installing the software, they need to spend some time with you on requirements gathering and testing.

I'm going to assume that since you're running SAP, your Organization probably does have some money. With the right motivation and justification you should be able to get this included in your next budget/special project budgets.

Option2: Still cost some $$$, but not as expensive as Option 1, Out of the box usage, minimum training and support required.
There are also other cheaper products that can also provide user creation and provisioning services with rules and templates to define creation requirements.
e.g. AD Manage Plus from ManageEngine

This application then replaces ADUC or other native AD tools for user creation.
And doesn't have the high financial requirements as a full IAM solution.

Option 3: The cheapest option with the easiest implementation, enforce and least cost.
Educate your service desk or whoever creates creating users to ONLY create users in lower-case.

If your IT department has a user creation policy that states how users are being created e.g. in lowercase only, and somebody doesn't comply...then there are consequences .e.g. disciplinary action.

You probably won't every enforce the disciplinary action over something like this but this methodology works well. If users are scared of breaking rules, knowing that there are consequences then they generally stick to those rules.

This leads me to another "AD management" issue...so what happens if a username is NOT created as per your policy? How would you trace back who created that user?

Solution: Either get a AD Change reporting so that you know who created user accounts.
Some suggestions from Microsoft:

Alternatively, extend/create additional user creation policies:
All users created based on a ticket number.
Ticket numbers to be included in AD fields, either the description field, adding a custom attribute to AD or use one of the 15 ExtensionAttributes already available in AD.

I hope this expands on my previous statement:
This is still not an AD issue, because option 3 ultimate provides the required result without any $$$'s spent, minimal changes to processes and procedures.
Leon FesterSenior Solutions ArchitectCommented:
None that I am aware of, but in Active Directory usernames are case insensitive, only Passwords are case sensitive.

To AD; username, USERNAME, UserName are all the same identifier.

There are tools available but they cost money, e.g. https://www.netiq.com/issues/data-integrity.asp
Other Identity and Access management tools offer similar capabilities.

Any reason for this request?
Nothing to add; just to support the other expert's comment. The username is not case sensitive in either AD or on a Windows workstation. If your AD username is "joebloggs" you can still log in as "JOEBLOGGS".
ccilengirogluAuthor Commented:
but still we need it for single sign on with SAP which is case sensitive
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.