What exactly is sAMAccountName and is it a Legacy AD attribute?

Is the sAMAccountName AD attribute some sort of legacy backwards compatibility object from server 2000 and NT that has been replaced by CN formatting?  Or is sAMAccountName really just what Microsoft AD translates to the windows user logon account name, where as the CN, is just the full user name (IE first name and last name)?

Also, how is a CN different from a sAMAccountName and can both be used in LDAP authentication queries against AD?

Thanks
CnicNVAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

zalazarCommented:
The sAMAccountName is indeed a legacy attribute to support previous versions of Windows, like Windows NT4, Windows 98 and earlier.
The maximum length of the sAMAccountName is 20 characters and it must be unique within the domain.
Within AD Users and Computers it's on the Account tab, "User logon name (pre-Windows 2000)".

The CN is within AD indeed referred as "Full name".
If you try to rename a user within "Active Directory Users and Computers" you can see these values. The "Full name" is in the AD user attribute CN and name.

The CN can be used in LDAP authentication by specifying the distinguished name.
The distinguished name is the relative distinguished name (RDN), which is the CN, followed by the names of container objects and domains.
E.g.: CN=Administrator,CN=Users,DC=domain,DC=local

The User logon name which is on the Account tab too can also be used for authentication.
The value is written within the user attribute userPrincipalName as the value of the user logon name followed by the domainname, e.g. user1@domain.local

The following article describes which methods are accepted for simple bind authentication in Active Directory.
http://msdn.microsoft.com/en-us/library/cc223499.aspx

So the CN in the form of the distinguished name (DN), userPrincipalName and sAMAccountName can be used for authentication.

The distinguished name is preferred (higher in order) before trying the sAMAccountName.
When using older operating systems like Windows NT only the sAMAccountName can be used for authentication.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
CnicNVAuthor Commented:
Sorry for the delay, this is what I wanted.  Thanks for the info:)
0
zalazarCommented:
No problem, you're welcome and I'm glad this is the info you needed.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.