In this article, I will look at some of the most commonly used naming conventions for creating Windows Active Directory user accounts. Each user account will need to be unique, so having a naming convention will make your job as an administrator easier.

There is no one best naming convention it depends on your organization size and requirements. First let’s look at some things you need to consider, and what problems you may run into when using a particular naming scheme.

Recommended Tool: SolarWinds Admin Bundle for Active Directory

3 Free tools, find inactive user or computer accounts  and quickly bulk import new user accounts.

Download your free copy of Admin Bundle for Active Directory

Things to consider

  • Legacy applications or computer systems with 8 character limit
  • Security
  • Single Sign on with other systems

Some legacy applications only allow 8 characters for the username. If you have programs like this then you may want to limit your Active Directory accounts to 8 characters as well. Most programs let you map the username to a windows name which could be different.

The problem is this creates a different logon name your users will need to remember. We want to make things as easy for the users as possible. Some of the commonly used naming conventions creates easy to guess logon names, there is a security concern with this.

This makes it easy for spammers and hackers to guess the logon name and email address. The last thing to consider is your applications that use single sign on, will the naming scheme you choose be compatible with SSO.

Exceptions Policy

  • Duplicate names
  • Last name change
  • Odd or horrible logon names

There will always be problems so you will need to be flexible with your users. For large environments, you could run into duplicate accounts with some of these methods. You will want to have the user’s complete name including the middle; you can use the middle name if you run into duplicate accounts.

There have been a few times where I’ve still run into duplicate accounts even after using the middle initial. When this occurs we just add a number to the end of the account. For any method that uses the full last name you will probably run into users that get married and will need their logon name changed.

In these types of circumstances, extra work will be required which include renaming the Active Directory account, and home directories. The email address will also need to be either renamed or have a new alias added. You may also end up with some really bad logon names that the users request to be changed, this is rare but it does happen.

Naming Conventions

1. Complete first name plus last name: This is by far the most commonly used naming convention I found other people using. You take the users complete first name and combine it with complete last name. A hyphen or period may also be added. 

Example: For Joe smith the logon name would be joe.smith, if there are duplicates just add the middle initial joe.a.smith.

This method has the advantage of creating easy to remember logon names and it works well for small and large organizations. The one drawback to this method is it can create long names that are over 8 characters.

2. Initial of first name and complete last name: You take the user’s first initial and combine it with their complete last name. This works well for large and small organizations, and it keeps the logon name shorter. In large organizations you will have some duplicates. This method can also create some odd logon names.

The funniest combination I’ve seen was with a user Todd Estes, the logon name was testes. It didn’t take long for the user to call and request the name be changed. You must be flexible and make your end users happy

Example: For Joe Smith the logon name would be jmith, if there are duplicates use the middle initial jasmith.

3. First three characters of the first name and first three of last name: You combine the first three characters of the first name and the first three of the last name.

Example:
Joe Smith logon name would be joesmi, if duplicates just add the middle initial joeasmi.

This method has the advantage of creating short easy to remember logon names. It would also keep the logon name under 8 characters. I don’t see any major drawbacks to this method, except that it might create some duplicate names.

4. Three random letters and three numbers: This one was not commonly used but I could see some advantages to using it. It would work well in a very large environment. You would also avoid duplicate names and renaming accounts if a user’s last name changed.

The only draw back to this is the email address; I don’t think the users would want an email address that is random characters but you could always give them a different email address. This also may help with spam and security. If spammers get a list of usernames they will not be able to guess their email address.

Example: aed234

What you could do to make it a little easier for users to remember is use the first three characters of their first name and three random numbers

Example: For Joe Smith the logon name would be joe234

Thinking through a naming convention can easily be overlooked but as you can see there are many things to consider. Do you use a different naming convention? If so share your method in the comments below.

You Might Also Like…

Recommended Tool: SolarWinds Server & Application Monitor

This utility was designed to Monitor Active Directory and other critical services like DNS & DHCP. It will quickly spot domain controller issues, prevent replication failures, track failed logon attempts and much more.

What I like best about SAM is it’s easy to use dashboard and alerting features. It also has the ability to monitor virtual machines and storage.

Download Your Free Trial Here

8 Comments

  1. James Tucker on October 31, 2018 at 11:32 pm

    A better naming convention is the users last name and the first initial of their first name. For example my name is James Tucker, therefore my username is tuckerj.

    This is easier for when auditing and listing all the user accounts.

    If there are duplicates (i.e. family members with the same letter for their first name) a style could be:

    John Smith = smithj
    Jane Smith = smithje
    Jack Smith = smithjk
    Janet Smith = smithjt

    I would refuse to use jsmith or jtucker as auditing can become a nightmare! It’s common for organizations to list their staff from last name, first e.g. Smith John. Therefore, my method works well for this. When you print a list of usernames, you can easily search for th person from their last name, rather than to have to look through 5000 John’s!

    • Robert Allen on November 2, 2018 at 11:33 am

      James, good idea. I think you would still see several duplicates with that method.

  2. Kirk on March 20, 2019 at 3:55 pm

    We use 5 characters if last name and 2 characters of first name then a number or letter to increment if there are duplicates. The 11th Joe Smith would be smithjob

  3. TrixM on August 30, 2019 at 6:51 am

    Using someone’s name or part of it as their account name of their logon ID is a bad idea, because when people’s names change, as they often do, they want to change their account name. You can explain as much as you like that you can change the display name or first and last name fields with no hassle, but they will still want to change it.

    Even more importantly, you will also have a problem with name collisions in any but the smallest organisation, which involves the workarounds some have mentioned above.

    Also, if someone’s name is quite long, they have a lot of characters to type.

    Depending on what systems you integrate with, you may find you have a length issue as well. Some very well-known systems only accept 12-char logon IDs.

    Use something like the employee ID, where it’s guaranteed to be immutable. Ensure that it’s unique to an individual no matter how many times they join or leave the organisation. Or build in a process where an account is not deleted for an interval after the staff member leaves, so their account can be renamed if they rejoin with a new ID and it is the same individual.

    Or just generate a random string, using their name as a seed if you must, but ensuring it actually isn’t their name in the end. A simple method that guarantees uniqueness is to use 2 letters as a prefix to indicate whether it was the 1st or 574th account created on the date, then either numbers or more letters in a simple substitution arrangement to indicate the account creation date.

    • Robert Allen on September 1, 2019 at 2:44 pm

      I agree and deal with name changes all the time. Including the user’s name in the account and email is very common, it’s easy for employees and customers to remember and relate to. I don’t think organizations or customers would like dealing with users or emails that are random strings or numbers.

  4. TrixM on August 30, 2019 at 6:57 am

    Also, there’s nothing any OS that indicates the email address must be the same as their account name – it generally isn’t, these days. Certainly not in AD.

    Construct the email address using any other conventions based on the person’s name. Exchange does this with no problems with an address policy. The built-in address policies include firstname.lastname, first name initial + lastname, first name + lastname initial, etc, and a digit is assigned to the end if there is a collision. It’s not difficult to create a custom format either.

    • Tee Deub on June 17, 2020 at 6:42 pm

      Actually, in some systems if your UPN is not the same as your email address, you have MAJOR headaches.

      • Robert Allen on June 26, 2020 at 6:50 pm

        Tee, good point.

        Unless there is a very specific use case I have always matched UPM with email and the account name – the domain name. You can always add additional UPN names.

Leave a Comment