What exactly is sAMAccountName and is it a Legacy AD attribute?

Posted on 2014-08-21
Medium Priority
1 Endorsement
Last Modified: 2014-09-26
Is the sAMAccountName AD attribute some sort of legacy backwards compatibility object from server 2000 and NT that has been replaced by CN formatting?  Or is sAMAccountName really just what Microsoft AD translates to the windows user logon account name, where as the CN, is just the full user name (IE first name and last name)?

Also, how is a CN different from a sAMAccountName and can both be used in LDAP authentication queries against AD?

Question by:CnicNV
  • 2
LVL 12

Accepted Solution

zalazar earned 2000 total points
ID: 40277782
The sAMAccountName is indeed a legacy attribute to support previous versions of Windows, like Windows NT4, Windows 98 and earlier.
The maximum length of the sAMAccountName is 20 characters and it must be unique within the domain.
Within AD Users and Computers it's on the Account tab, "User logon name (pre-Windows 2000)".

The CN is within AD indeed referred as "Full name".
If you try to rename a user within "Active Directory Users and Computers" you can see these values. The "Full name" is in the AD user attribute CN and name.

The CN can be used in LDAP authentication by specifying the distinguished name.
The distinguished name is the relative distinguished name (RDN), which is the CN, followed by the names of container objects and domains.
E.g.: CN=Administrator,CN=Users,DC=domain,DC=local

The User logon name which is on the Account tab too can also be used for authentication.
The value is written within the user attribute userPrincipalName as the value of the user logon name followed by the domainname, e.g. user1@domain.local

The following article describes which methods are accepted for simple bind authentication in Active Directory.

So the CN in the form of the distinguished name (DN), userPrincipalName and sAMAccountName can be used for authentication.

The distinguished name is preferred (higher in order) before trying the sAMAccountName.
When using older operating systems like Windows NT only the sAMAccountName can be used for authentication.

Author Closing Comment

ID: 40312400
Sorry for the delay, this is what I wanted.  Thanks for the info:)
LVL 12

Expert Comment

ID: 40346873
No problem, you're welcome and I'm glad this is the info you needed.

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Case Summary: In this Article we introduce the new method to configure the default user profile using Automated profile copy with sysprep rather than the old ways such as the manual copy of a configured profile to default user profile Old meth…
This is my 3rd article on SCCM in recent weeks, the 1st (http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/A_4466-A-beginners-guide-to-installing-SCCM2007-on-Windows-2008-R2-Server.html) dealing with installat…
This Micro Tutorial will teach you how to add a cinematic look to any film or video out there. There are very few simple steps that you will follow to do so. This will be demonstrated using Adobe Premiere Pro CS6.
Is your OST file inaccessible, Need to transfer OST file from one computer to another? Want to convert OST file to PST? If the answer to any of the above question is yes, then look no further. With the help of Stellar OST to PST Converter, you can e…
Suggested Courses

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question