The samAccountName is defined in MSDN.

LDAP Attribute Definition#

The SamAccountName AttributeTypes is defined as:

Interesting Aspects#

  • SamAccountName attribute is a single-valued attribute that is the logon name used to support clients and servers from a previous version of Windows.
  • SamAccountName must be less than 20 characters - with clients and servers running earlier versions of the operating system, such as Windows NT 4.0, Windows 95, Windows 98, and LAN Manager
  • The schema reports the size for {$pagename}] as a upper-range of 256.
  • "pre-Windows 2000 logon name" is the label in MMC Account Tab
  • SamAccountName value must be unique among all security principal objects within a AD DOMAIN.[7]


As far as we know, although the schema and MSDN states it is "required", Win2K3 and later will create sAMAccountName for you if you don't specify it, but it is real ugly like: $9J2000-F2RTQRTA7C5F. Win2K AD does not create sAMAccountName, you must specify a value.

Restricted Values#

There some value restrictions in regards to the characters but we can not find any "official" documentation to what the restrictions are. When we tried to put in values like: When you apply a bad value samAccountName in W2k3, you will receive an error:
Error while executing LDIF
 - [LDAP: error code 80 - 00000523: SysErr: DSID-031A0FB6, problem 22 (Invalid argument), data
  javax.naming.NamingException: [LDAP: error code 80 - 00000523: SysErr: DSID-031A0FB6, problem 22 (Invalid argument), data 0

We found a reference showing the following characters invalid in sAMAccountName's: (W3k3)

" [ ] : ; | = + * ? < > / \ ,

These appears to work:

! @ # $ % ^ & ~ `

We have seen it written[1] that the following are valid:

  • unicode characters, but accented characters generate collisions. So you can provision jm├╝ller today and if tomorrow you try to provision jmuller, you will get a collision. So better normalize your sAMAccountNames.
  • The sAMAccountName cannot end with . (period).
  • Blanks (space) are allowed.

RegEx For Verification[2]#

^(?:(?:[^. \"\/\\\[\]\:\|\\+\=\;\?\*\<\>\,][^\"\/\\\[\]\:\|\\+\=\;\?\*\<\>\,]{0,62}[^. \"\/\\\[\]\:\|\\+\=\;\?\*\<\>\,])|[^.\"\/\\\[\]\:\|\\+\=\;\?\*\<\>\,])$

This translates to:

  • Not Starting with a period (.) or a space ( ). - This, by design, excludes strings consisting solely of all periods (.) or spaces ( ).
  • Between 1 and 64 characters (inclusive) long.
  • Not including any of these characters: " [ ] : ; | = + * ? < > / \ ,
  • Not ending in a period (.).
  • I realize the page says 63 characters, but my testing shows 64 to be valid (Win2k8) yet schema page [1] says 256!

Adding or Modifying samAccountName#

Adding or modifying a user, from LDAP, with a samAccountName value that is the same value of an existing user entry will result in the following error:
Error while executing LDIF
 - [LDAP: error code 68 - 00000524: UpdErr: DSID-031A0F4F, problem 6005 (ENTRY_EXISTS), data 
  javax.naming.NameAlreadyBoundException: [LDAP: error code 68 - 00000524: UpdErr: DSID-031A0F4F, problem 6005 (ENTRY_EXISTS), data 0

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-22) was last changed on 30-Jul-2016 20:50 by jim