In this article, I will look at some of the most common naming conventions for usernames in Active Directory. Each user account will need to be unique, so having a naming convention will make your job as an administrator easier.
There is no one best naming convention it depends on your organization’s size and requirements.
Active Directory User Account Naming Convention Examples
For these examples, I’ll use Joe Smith and show you the various ways to create a naming convention.
1. Complete first name plus last name: This is by far the most commonly used naming convention I see organizations use. You take the user’s complete first name and complete the last name, and use a period or hyphen to combine them.
This method has the advantage of creating easy to remember logon names and it works well for small and large organizations. The one drawback to this method is it can create long names that are over 8 characters. If there are duplicates you can add the user’s middle initial.
2. Initial of first name and complete last name: You take the user’s first initial and combine it with their complete last name. This works well for large and small organizations, and it keeps the logon name shorter. In large organizations, you will have some duplicates. This method can also create some odd logon names.
The funniest combination I’ve seen was with a user Todd Estes, the logon name was testes. It didn’t take long for the user to call and request the name be changed. You must be flexible and make your end users happy.
3. First three characters of the first name and first three of the last name: You combine the first three characters of the first name and the first three of the last name.
This method has the advantage of creating short easy to remember logon names. It would also keep the logon name under 8 characters. I don’t see any major drawbacks to this method, except that it might create some duplicate names.
4. First name plus EmployeeID: This combination is popular in very large organizations. It will prevent duplications as every employee will have a unique ID. It will not be the most user-friendly but it addresses many issues large organizations deal with. There are sometimes challenges in matching up AD accounts with HR systems and this naming convention can help solve that issue.
5. Three random letters and three numbers: This one was not commonly used but I could see some advantages to using it. It would work well in a very large environment. You would also avoid duplicate names and renaming accounts if a user’s last name changed.
The only drawback to this is the email address; I don’t think the users would want an email address that is random characters but you could always give them a different email address. This also may help with spam and security. If spammers get a list of usernames they will not be able to guess their email address.
What you could do to make it a little easier for users to remember is use the first three characters of their first name and three random numbers
Example: For Joe Smith the logon name would be joe234
Things to Consider Before Changing Usernames
You need to do some homework before changing all usernames. You need to make sure all systems that use Active Directory for authentication will support the new naming convention. Below are some things to consider:
- Legacy applications or computer systems with 8 character limit
- Single Sign on with other systems
Some legacy applications only allow 8 characters for the username. If you have programs like this then you may want to limit your Active Directory accounts to 8 characters as well. Most programs let you map the username to a windows name which could be different.
The problem is this creates a different logon name your users will need to remember. We want to make things as easy for the users as possible. Some of the commonly used naming conventions creates easy to guess logon names, there is a security concern with this.
This makes it easy for spammers and hackers to guess the logon name and email address. The last thing to consider is your applications that use single sign on, will the naming scheme you choose be compatible with SSO.
- Duplicate names
- Last name change
- Odd or horrible logon names
There will always be problems so you will need to be flexible with your users. For large environments, you could run into duplicate accounts with some of these methods. You will want to have the user’s complete name including the middle; you can use the middle name if you run into duplicate accounts.
There have been a few times where I’ve still run into duplicate accounts even after using the middle initial. When this occurs we just add a number to the end of the account. For any method that uses the full last name you will probably run into users that get married and will need their logon name changed.
In these types of circumstances, extra work will be required which includes renaming the Active Directory account, and home directories. The email address will also need to be either renamed or have a new alias added. You may also end up with some really bad logon names that the users request to be changed, this is rare but it does happen.
Thinking through a naming convention can easily be overlooked but as you can see there are many things to consider. Do you use a different naming convention? If so share your method in the comments below.