Active Directory User Naming Conventions

by Robert Allen

In this article, I will look at some of the most common naming conventions for usernames in Active Directory. Each user account will need to be unique, so having a naming convention will make your job as an administrator easier.

There is no one best naming convention it depends on your organization’s size and requirements.

Active Directory User Account Naming Convention Examples

For these examples, I’ll use Joe Smith and show you the various ways to create a naming convention.

1. Complete first name plus last name: This is by far the most commonly used naming convention I see organizations use. You take the user’s complete first name and complete the last name, and use a period or hyphen to combine them.

Example: joe.smith

This method has the advantage of creating easy to remember logon names and it works well for small and large organizations. The one drawback to this method is it can create long names that are over 8 characters. If there are duplicates you can add the user’s middle initial.

2. Initial of first name and complete last name: You take the user’s first initial and combine it with their complete last name. This works well for large and small organizations, and it keeps the logon name shorter. In large organizations, you will have some duplicates. This method can also create some odd logon names.

Example: jsmith

The funniest combination I’ve seen was with a user Todd Estes, the logon name was testes. It didn’t take long for the user to call and request the name be changed. You must be flexible and make your end users happy.

3. First three characters of the first name and first three of the last name: You combine the first three characters of the first name and the first three of the last name.

Example: joesmi

This method has the advantage of creating short easy to remember logon names. It would also keep the logon name under 8 characters. I don’t see any major drawbacks to this method, except that it might create some duplicate names.

4. First name plus EmployeeID: This combination is popular in very large organizations. It will prevent duplications as every employee will have a unique ID. It will not be the most user-friendly but it addresses many issues large organizations deal with. There are sometimes challenges in matching up AD accounts with HR systems and this naming convention can help solve that issue.

Example: joe43671

5. Three random letters and three numbers: This one was not commonly used but I could see some advantages to using it. It would work well in a very large environment. You would also avoid duplicate names and renaming accounts if a user’s last name changed.

The only drawback to this is the email address; I don’t think the users would want an email address that is random characters but you could always give them a different email address. This also may help with spam and security. If spammers get a list of usernames they will not be able to guess their email address.

Example: aed234

What you could do to make it a little easier for users to remember is use the first three characters of their first name and three random numbers

Example: For Joe Smith the logon name would be joe234

Things to Consider Before Changing Usernames

You need to do some homework before changing all usernames. You need to make sure all systems that use Active Directory for authentication will support the new naming convention. Below are some things to consider:

  • Legacy applications or computer systems with 8 character limit
  • Security
  • Single Sign on with other systems

Some legacy applications only allow 8 characters for the username. If you have programs like this then you may want to limit your Active Directory accounts to 8 characters as well. Most programs let you map the username to a windows name which could be different.

The problem is this creates a different logon name your users will need to remember. We want to make things as easy for the users as possible. Some of the commonly used naming conventions creates easy to guess logon names, there is a security concern with this.

This makes it easy for spammers and hackers to guess the logon name and email address. The last thing to consider is your applications that use single sign on, will the naming scheme you choose be compatible with SSO.

Exceptions Policy

  • Duplicate names
  • Last name change
  • Odd or horrible logon names

There will always be problems so you will need to be flexible with your users. For large environments, you could run into duplicate accounts with some of these methods. You will want to have the user’s complete name including the middle; you can use the middle name if you run into duplicate accounts.

There have been a few times where I’ve still run into duplicate accounts even after using the middle initial. When this occurs we just add a number to the end of the account. For any method that uses the full last name you will probably run into users that get married and will need their logon name changed.

In these types of circumstances, extra work will be required which includes renaming the Active Directory account, and home directories. The email address will also need to be either renamed or have a new alias added. You may also end up with some really bad logon names that the users request to be changed, this is rare but it does happen.

Thinking through a naming convention can easily be overlooked but as you can see there are many things to consider. Do you use a different naming convention? If so share your method in the comments below.

You Might Also Like…

15 thoughts on “Active Directory User Naming Conventions”

  1. Jim Scholtz

    Hi,
    Here is one to contemplate!
    I am an elected official in my town. The position is “Collector of Delinquent Taxes” and is responsible for collecting delinquent Property Taxes. The town uses a mixed bag of usernames and email addresses and this organization consists, at any one moment, a max of 50 users (name examples: first name only, last name only, first initial last name, first and last name….) usually what the new user requests! Rather sad by my estimation.

    Please do read on, I have a point and an important (if only to me) Question.

    As an engineer by trade and education, after I was elected I stepped back and looked at how the likely hood that a new person would be doing this job every 3 years.

    First – email account through the towns domain (@rutlandtown.com) would need to be passed on to the next person elected. Not easy if I had the administrator make my email address “jscholtz@rutlandtown.com”. With that in mind I chose “taxcollector@rutlandtown.com”. This will not only make the transfer to the next person elected, but also means people who contact this “person” (position) regularly will always have the correct email address (even if they don’t know they are emailing:
    “John Doe” and not
    “Jim Scholtz”

    The Question:
    In Active Directory when creating a new user, if the “User logon name” is made “taxcollector” and 3 years later a new person is elected, what effect will changing the other user information?
    Specifically:
    First name: from Jim to John
    Last name: from Scholtz to Doe
    Initials: from JWS to JXD

    Reply
    • Avatar photo
      Robert Allen

      Hi Jim,

      I worked for the local government for 13 years and they loved generic email addresses, we had hundreds of them.

      For generic emails, we created a shared mailbox or a distribution group. Users would have their own account (plus mail address) and we would give them access to a shared mailbox. They could then send and receive from the shared mailbox as needed. This provides better security and allow you to audit individual users if needed.

      Reply
  2. Robert

    My old position, at a university, we used first.last as a standard. In case of a duplicate, we added a number, so Joe.Smith2, for example. The university my daughter went to used first initial+lastname+year they entered the university. For example, if Joe Smith enrolled at the school in 2022, it would be jsmith22. In the case of duplicates, they would add a number at the end to designate additional users, so jsmith221, jsmith222, jsmith223, etc. I liked this approach, but administration at my university didn’t like the initials, so we stayed with first.last. My current position in local government we’re in the process of changing the naming format from first initial+last name to first.last.

    For people with long names (over 20 characters), we work on a case-by-case basis.

    Reply
    • Avatar photo
      Robert Allen

      The last company I worked at started with first initial + last name. In case of a duplicate, we added the middle initial. We later switched to full first name + last name and drastically reduced duplicates.

      Reply
  3. Joel

    In my organization we are with a doubt. Is it a good technique to identify accounts with name.surname (or any other variant) understanding the rules of social engineering that can be applied in the face of a possible hacking attempt? Is it a good idea to use random type nomenclatures? (For example: usr564232) What do you think about it?

    Reply
  4. Kyle

    My org creates first initial last name (jsmith) for AD and email address (jsmith@). Unfortunately they have a recent policy to not go longer than 10 digits and just chop off the last letters of a persons name. We have no system restrictions on length as some have an 18 digit username. I find this lazy or disrespectful on some level but maybe that is just me. Does anyone else think this?

    Reply
  5. Ivan

    Has anybody heard if First.Last is a Microsoft cloud standard or recommended standard?
    The issue with this entails having to change other non-ms applications that don’t accept more than 8 characters for the user name field.

    Reply
  6. TrixM

    Also, there’s nothing any OS that indicates the email address must be the same as their account name – it generally isn’t, these days. Certainly not in AD.

    Construct the email address using any other conventions based on the person’s name. Exchange does this with no problems with an address policy. The built-in address policies include firstname.lastname, first name initial + lastname, first name + lastname initial, etc, and a digit is assigned to the end if there is a collision. It’s not difficult to create a custom format either.

    Reply
    • Tee Deub

      Actually, in some systems if your UPN is not the same as your email address, you have MAJOR headaches.

      Reply
      • Avatar photo
        Robert Allen

        Tee, good point.

        Unless there is a very specific use case I have always matched UPM with email and the account name – the domain name. You can always add additional UPN names.

        Reply
  7. TrixM

    Using someone’s name or part of it as their account name of their logon ID is a bad idea, because when people’s names change, as they often do, they want to change their account name. You can explain as much as you like that you can change the display name or first and last name fields with no hassle, but they will still want to change it.

    Even more importantly, you will also have a problem with name collisions in any but the smallest organisation, which involves the workarounds some have mentioned above.

    Also, if someone’s name is quite long, they have a lot of characters to type.

    Depending on what systems you integrate with, you may find you have a length issue as well. Some very well-known systems only accept 12-char logon IDs.

    Use something like the employee ID, where it’s guaranteed to be immutable. Ensure that it’s unique to an individual no matter how many times they join or leave the organisation. Or build in a process where an account is not deleted for an interval after the staff member leaves, so their account can be renamed if they rejoin with a new ID and it is the same individual.

    Or just generate a random string, using their name as a seed if you must, but ensuring it actually isn’t their name in the end. A simple method that guarantees uniqueness is to use 2 letters as a prefix to indicate whether it was the 1st or 574th account created on the date, then either numbers or more letters in a simple substitution arrangement to indicate the account creation date.

    Reply
    • Avatar photo
      Robert Allen

      I agree and deal with name changes all the time. Including the user’s name in the account and email is very common, it’s easy for employees and customers to remember and relate to. I don’t think organizations or customers would like dealing with users or emails that are random strings or numbers.

      Reply
  8. Kirk

    We use 5 characters if last name and 2 characters of first name then a number or letter to increment if there are duplicates. The 11th Joe Smith would be smithjob

    Reply
  9. James Tucker

    A better naming convention is the users last name and the first initial of their first name. For example my name is James Tucker, therefore my username is tuckerj.

    This is easier for when auditing and listing all the user accounts.

    If there are duplicates (i.e. family members with the same letter for their first name) a style could be:

    John Smith = smithj
    Jane Smith = smithje
    Jack Smith = smithjk
    Janet Smith = smithjt

    I would refuse to use jsmith or jtucker as auditing can become a nightmare! It’s common for organizations to list their staff from last name, first e.g. Smith John. Therefore, my method works well for this. When you print a list of usernames, you can easily search for th person from their last name, rather than to have to look through 5000 John’s!

    Reply
    • Avatar photo
      Robert Allen

      James, good idea. I think you would still see several duplicates with that method.

      Reply

Leave a Comment