What exactly is sAMAccountName and is it a Legacy AD attribute?

Posted on 2014-08-21
1 Endorsement
Last Modified: 2014-09-26
Is the sAMAccountName AD attribute some sort of legacy backwards compatibility object from server 2000 and NT that has been replaced by CN formatting?  Or is sAMAccountName really just what Microsoft AD translates to the windows user logon account name, where as the CN, is just the full user name (IE first name and last name)?

Also, how is a CN different from a sAMAccountName and can both be used in LDAP authentication queries against AD?

Question by:CnicNV
    LVL 11

    Accepted Solution

    The sAMAccountName is indeed a legacy attribute to support previous versions of Windows, like Windows NT4, Windows 98 and earlier.
    The maximum length of the sAMAccountName is 20 characters and it must be unique within the domain.
    Within AD Users and Computers it's on the Account tab, "User logon name (pre-Windows 2000)".

    The CN is within AD indeed referred as "Full name".
    If you try to rename a user within "Active Directory Users and Computers" you can see these values. The "Full name" is in the AD user attribute CN and name.

    The CN can be used in LDAP authentication by specifying the distinguished name.
    The distinguished name is the relative distinguished name (RDN), which is the CN, followed by the names of container objects and domains.
    E.g.: CN=Administrator,CN=Users,DC=domain,DC=local

    The User logon name which is on the Account tab too can also be used for authentication.
    The value is written within the user attribute userPrincipalName as the value of the user logon name followed by the domainname, e.g. user1@domain.local

    The following article describes which methods are accepted for simple bind authentication in Active Directory.

    So the CN in the form of the distinguished name (DN), userPrincipalName and sAMAccountName can be used for authentication.

    The distinguished name is preferred (higher in order) before trying the sAMAccountName.
    When using older operating systems like Windows NT only the sAMAccountName can be used for authentication.

    Author Closing Comment

    Sorry for the delay, this is what I wanted.  Thanks for the info:)
    LVL 11

    Expert Comment

    No problem, you're welcome and I'm glad this is the info you needed.

    Featured Post

    Threat Intelligence Starter Resources

    Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

    Join & Write a Comment

    Every system administrator encounters once in while in a problem where the solution seems to be a needle in haystack.  My needle was an anti-virus version causing problems with my Exchange server. I have an HP DL350 with Windows Server 2008 Stand…
    Welcome to my series of short tips on migrations. Whilst based on Microsoft migrations the same principles can be applied to any type of migration. My first tip Migration Tip #1 – Source Server Health can be found here: http://www.experts-exchang…
    In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now