In this article, I will look at some of the most commonly used naming conventions for creating Windows Active Directory user accounts. Each user account will need to be unique, so having a naming convention will make your job as an administrator easier.
There is no one best naming convention it depends on your organization size and requirements. First let’s look at some things you need to consider, and what problems you may run into when using a particular naming scheme.
Recommended Tool: SolarWinds Admin Bundle for Active Directory
3 Free tools, find inactive user or computer accounts and quickly bulk import new user accounts.
Things to consider
- Legacy applications or computer systems with 8 character limit
- Single Sign on with other systems
Some legacy applications only allow 8 characters for the username. If you have programs like this then you may want to limit your Active Directory accounts to 8 characters as well. Most programs let you map the username to a windows name which could be different.
The problem is this creates a different logon name your users will need to remember. We want to make things as easy for the users as possible. Some of the commonly used naming conventions creates easy to guess logon names, there is a security concern with this.
This makes it easy for spammers and hackers to guess the logon name and email address. The last thing to consider is your applications that use single sign on, will the naming scheme you choose be compatible with SSO.
- Duplicate names
- Last name change
- Odd or horrible logon names
There will always be problems so you will need to be flexible with your users. For large environments, you could run into duplicate accounts with some of these methods. You will want to have the user’s complete name including the middle; you can use the middle name if you run into duplicate accounts.
There have been a few times where I’ve still run into duplicate accounts even after using the middle initial. When this occurs we just add a number to the end of the account. For any method that uses the full last name you will probably run into users that get married and will need their logon name changed.
In these types of circumstances, extra work will be required which include renaming the Active Directory account, and home directories. The email address will also need to be either renamed or have a new alias added. You may also end up with some really bad logon names that the users request to be changed, this is rare but it does happen.
1. Complete first name plus last name: This is by far the most commonly used naming convention I found other people using. You take the users complete first name and combine it with complete last name. A hyphen or period may also be added.
Example: For Joe smith the logon name would be joe.smith, if there are duplicates just add the middle initial joe.a.smith.
This method has the advantage of creating easy to remember logon names and it works well for small and large organizations. The one drawback to this method is it can create long names that are over 8 characters.
2. Initial of first name and complete last name: You take the user’s first initial and combine it with their complete last name. This works well for large and small organizations, and it keeps the logon name shorter. In large organizations you will have some duplicates. This method can also create some odd logon names.
The funniest combination I’ve seen was with a user Todd Estes, the logon name was testes. It didn’t take long for the user to call and request the name be changed. You must be flexible and make your end users happy
Example: For Joe Smith the logon name would be jmith, if there are duplicates use the middle initial jasmith.
3. First three characters of the first name and first three of last name: You combine the first three characters of the first name and the first three of the last name.
Joe Smith logon name would be joesmi, if duplicates just add the middle initial joeasmi.
This method has the advantage of creating short easy to remember logon names. It would also keep the logon name under 8 characters. I don’t see any major drawbacks to this method, except that it might create some duplicate names.
4. Three random letters and three numbers: This one was not commonly used but I could see some advantages to using it. It would work well in a very large environment. You would also avoid duplicate names and renaming accounts if a user’s last name changed.
The only draw back to this is the email address; I don’t think the users would want an email address that is random characters but you could always give them a different email address. This also may help with spam and security. If spammers get a list of usernames they will not be able to guess their email address.
What you could do to make it a little easier for users to remember is use the first three characters of their first name and three random numbers
Example: For Joe Smith the logon name would be joe234
Thinking through a naming convention can easily be overlooked but as you can see there are many things to consider. Do you use a different naming convention? If so share your method in the comments below.
You Might Also Like…
- Create Bulk Users in Active Directory (Step-By-Step Guide)
- How to Create a New Active Directory User Account
Recommended Tool: SolarWinds Server & Application Monitor
This utility was designed to Monitor Active Directory and other critical services like DNS & DHCP. It will quickly spot domain controller issues, prevent replication failures, track failed logon attempts and much more.
What I like best about SAM is it’s easy to use dashboard and alerting features. It also has the ability to monitor virtual machines and storage.