Duplicate LoginID in Active Directory

We are trying to add a new user to our Active Directory.  Active Directory is reporting.. "The user logon name you have chosen is already in use in this enterprise. Choose another logon name, and then try again."

The obvious fix is to just select a different logon name, but when a complete search of AD is done, the name doesn't appear anywhere.  There is clearly some sort of lingering AD object with this old logon.  

What tool is the best to go through and find these objects and clean them out?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
The obvious fix is to just select a different logon name, but when a complete search of AD is done, the name doesn't appear anywhere.  There is clearly some sort of lingering AD object with this old logon.  

This is by design. This is not the NAME it is the sAMAccountName in active directory. This name is unique among the domain and cannot be used. The best way to manage something like this is to have a on-boarding naming convention.

Some companies use first initial / last name or first name / last initial.

There will not be any duplicates in the domain for the sAMAccountName attribute. Do not search by the name search by the sAMAccountName and you will be able to find the account you are looking for.

AvatharVAuthor Commented:
Correct, we use first initial + last name as our naming standard.  In the case of duplicates, we typically do first two letters of first name + lastname in case of possible dupes.

I get what you mean by the sAMAccountName, but the only search I typically do in AD is the "Find Users, Contacts, and Groups" within AD Users & computers.

How do I search for sAMAccountName?  I looked through all the options of AD Users & Computers and don't see it.  Should I be using a different search tool?
Will SzymkowskiSenior Solution ArchitectCommented:
You do it the same way but you just try in the sAMAccountName not the first name or last name. In the search field when you type a sAMAccountName you will only find one in the entire domain.

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

AvatharVAuthor Commented:
I am on my 2012 Standard server, in Active Directory Users & Computers, in Find Users, Contacts, and Groups.. in the Find: field, I have Users, Contacts, and Groups selected.. and in the In: field I have Entire Directory selected. In the Users, Contacts, and Groups tab, there is only a Name: & Description: field.

Even when I look through all the Field options, I don't see a sAMAccountName option.  I have all types of objects viewable and advanced options checked.

I could be blind, but I don't see where you are talking about.
Will SzymkowskiSenior Solution ArchitectCommented:
LoL, no you are not blind. There is no specific option for sAMAccountName. You just type the sAMAccountName in the search field. If the sAMAccountName is already in use you will find the user. See screenshot below...
As you can see based on the screenshots I simply typed in the samaccount name of the user and hit find and it appeared. When type in the sAMAccountName like i have you will still get results. The sAMAccountName does not have to be the same as the UserPrincipalName (name@domain.com) and it does not have to include the firstname or last name, it can be whatever you make it. however it needs to be unique in the domain.

Hopefully this makes sense.

AvatharVAuthor Commented:
Will, you were very helpful.  I tried all that and the user logon seems to be hidden from AD.  Like I said, it is some kind of lingering account or something.

I had to go into ADSIEdit and run a query there.. then go into the user properties and Attribute Editor.  The attribute showInAdvancedViewOnly was set to false for some reason.  When we changed it back to <not set> we could see it again.

Thanks for your speedy help.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Will SzymkowskiSenior Solution ArchitectCommented:
Glad that you figured it out!

AvatharVAuthor Commented:
Upon further research, found the answer myself.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.