jspωiki
SamAccountName

samAccountName#

The samAccountName is defined in MSDN.

LDAP Attribute Definition#

The SamAccountName AttributeTypes is defined as:

Interesting Aspects#

Required?#

As far as we know, although the schema and MSDN states it is "required", Windows Server 2003 and later will create SamAccountName for you if you don't specify it, but it is real ugly like: $9J2000-F2RTQRTA7C5F. Windows Server 2000 Microsoft Active Directory does not create SamAccountName, you must specify a value.

Restricted Values#

There some value restrictions in regards to the characters but we can not find any "official" documentation to what the restrictions are.

When you apply a bad value SamAccountName in Windows Server 2003, you will receive an error:

Error while executing LDIF
 - [LDAP: error code 80 - 00000523: SysErr: DSID-031A0FB6, problem 22 (Invalid argument), data
  javax.naming.NamingException: [LDAP: error code 80 - 00000523: SysErr: DSID-031A0FB6, problem 22 (Invalid argument), data 0

We found a reference showing the following characters invalid in SamAccountName's: (Windows Server 2003)

" [ ] : ; | = + * ? < > / \ ,

These appears to work:

! @ # $ % ^ & ~ `

We have seen it written[1] that the following are valid:

  • unicode characters, but accented characters generate collisions. So you can provision jm├╝ller today and if tomorrow you try to provision jmuller, you will get a collision. So better normalize your SamAccountNames.
  • The SamAccountName cannot end with . (period).
  • Blanks (space) are allowed.

RegEx For Verification[2]#

We have used this and it appears to work:
^(?:(?:[^. \"\/\\\[\]\:\|\\+\=\;\?\*\<\>\,][^\"\/\\\[\]\:\|\\+\=\;\?\*\<\>\,]{0,62}[^. \"\/\\\[\]\:\|\\+\=\;\?\*\<\>\,])|[^.\"\/\\\[\]\:\|\\+\=\;\?\*\<\>\,])$

This translates to:

  • Not Starting with a period (.) or a space ( ). - This, by design, excludes strings consisting solely of all periods (.) or spaces ( ).
  • Between 1 and 64 characters (inclusive) long.
  • Not including any of these characters: " [ ] : ; | = + * ? < > / \ ,
  • Not ending in a period (.).
  • I realize the page says 63 characters, but my testing shows 64 to be valid (Windows Server 2008) yet schema page [1] says 256!

Adding or Modifying SamAccountName#

Adding or modifying a user, from LDAP, with a samAccountName value that is the same value of an existing user entry will result in the following error:
Error while executing LDIF
 - [LDAP: error code 68 - 00000524: UpdErr: DSID-031A0F4F, problem 6005 (ENTRY_EXISTS), data 
  javax.naming.NameAlreadyBoundException: [LDAP: error code 68 - 00000524: UpdErr: DSID-031A0F4F, problem 6005 (ENTRY_EXISTS), data 0

More Information#

There might be more information for this subject on one of the following: