<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! samAccountName
The [samAccountName is defined in MSDN.|http://msdn.microsoft.com/en-us/library/ms679635%28v=vs.85%29.aspx|target='_blank']

!! [LDAP] [Attribute] Definition
The [{$pagename}] [AttributeTypes] is defined as:
* [OID] of [1.2.840.113556.1.4.221] 
* [NAME|Attribute-Name]: [{$pagename}]
* DESC: User logon name (pre-Windows 2000)
* [EQUALITY]: []
* [ORDERING]: []
* SYNTAX: [1.3.6.1.4.1.1466.115.121.1.15]
* [SINGLE-VALUE]
* Used as [MUST] in:
** [securityPrincipal]
* Used [MAY] in:
**

!! Interesting Aspects
* [{$pagename}] attribute is a [SINGLE-VALUE] [attribute] that is the logon name used to support clients and servers from a previous version of Windows.
* [{$pagename}] [MUST] be less than __20 characters__ - with clients and servers running earlier versions of the [Operating System], such as Windows NT 4.0, [Windows 95], [Windows 98], and LAN Manager
* The schema reports the size for {$pagename}] as a upper-range of 256.
* &quot;pre-Windows 2000 logon name&quot; is the label in [MMC Account Tab]
* [{$pagename}] value must be a [Unique Identifier] among all security principal objects within a [AD DOMAIN].[7] 
* [{$pagename}] is a [Ambiguous Name Resolution] value

!! Required?
As far as we know, although the schema and MSDN states it is &quot;required&quot;, [Windows Server 2003] and later will create [{$pagename}] for you if you don't specify it, but it is real ugly like: $9J2000-F2RTQRTA7C5F.
[Windows Server 2000] [Microsoft Active Directory] does not create [{$pagename}], you must specify a value.

!! Restricted Values
There some value restrictions in regards to the characters but we can not find any &quot;official&quot; documentation to what the restrictions are. 

When you apply a bad value [{$pagename}] in [Windows Server 2003], you will receive an error:
{{{
Error while executing LDIF
 - [LDAP: error code 80 - 00000523: SysErr: DSID-031A0FB6, problem 22 (Invalid argument), data
  javax.naming.NamingException: [LDAP: error code 80 - 00000523: SysErr: DSID-031A0FB6, problem 22 (Invalid argument), data 0
}}}

We found a reference showing the following characters invalid in [{$pagename}]'s: ([Windows Server 2003])
{{{
&quot; [ ] : ; | = + * ? &lt; &gt; / \ ,
}}}

These appears to work: 
{{{
! @ # $ % ^ &amp; ~ `
}}}

We have seen it written[1] that the following are valid:
* [unicode] characters, but accented characters generate collisions. So you can provision jmüller today and if tomorrow you try to provision jmuller, you will get a collision. So better normalize your [{$pagename}]s.
* The [{$pagename}] cannot end with . (period).
* Blanks (space) are allowed.

!! [RegEx] For Verification[2]
We have used this and it appears to work:
{{{
^(?:(?:[^. \&quot;\/\\\[\]\:\|\\+\=\;\?\*\&lt;\&gt;\,][^\&quot;\/\\\[\]\:\|\\+\=\;\?\*\&lt;\&gt;\,]{0,62}[^. \&quot;\/\\\[\]\:\|\\+\=\;\?\*\&lt;\&gt;\,])|[^.\&quot;\/\\\[\]\:\|\\+\=\;\?\*\&lt;\&gt;\,])$
}}}

This translates to:
* __Not Starting__ with a period (.) or a space ( ). - This, by design, excludes strings consisting solely of all periods (.) or spaces ( ).
* Between 1 and 64 characters (inclusive) long.
* Not including any of these characters: {{{&quot; [ ] : ; | = + * ? &lt; &gt; / \ ,}}}
* Not ending in a period (.).
* I realize the page says 63 characters, but my testing shows 64 to be valid ([Windows Server 2008]) yet schema page [1] says 256!!! Adding or Modifying [{$pagename}]
Adding or modifying a user, from LDAP, with a [samAccountName] value that is the same value of an existing user entry will result in the following error: 
{{{
Error while executing LDIF
 - [LDAP: error code 68 - 00000524: UpdErr: DSID-031A0F4F, problem 6005 (ENTRY_EXISTS), data 
  javax.naming.NameAlreadyBoundException: [LDAP: error code 68 - 00000524: UpdErr: DSID-031A0F4F, problem 6005 (ENTRY_EXISTS), data 0
}}}

!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]

----
* [#1] - [http://blogs.technet.com/b/juanand/archive/2009/05/12/things-to-consider-when-provisioning-to-ad-adam.aspx] 2012-08-31
* [#2] - [http://blog.vertigion.com/post/18028230414/active-directory-validate-group-samaccountname|http://blog.vertigion.com/post/18028230414/active-directory-validate-group-samaccountname|target='_blank'] - based on information retrieved 2013-08-19
* [#3] - [You cannot add a user name or an object name that only differs by a character with a diacritic mark|http://support.microsoft.com/kb/938447|target='_blank'] - based on information retrieved 2013-08-19
* [#4] - [You must type a valid Username for the user.|http://technet.microsoft.com/library/Cc975532|target='_blank'] - based on information retrieved 2013-08-19
* [#5] - [Object names|http://technet.microsoft.com/en-us/library/cc776019.aspx|target='_blank'] - based on information retrieved 2013-08-19
* [#6] - [Object names|http://support.microsoft.com/kb/909264|target='_blank'] - based on information retrieved 2013-08-19
* [#7] - [User Naming Attributes|https://msdn.microsoft.com/en-us/library/ms677605(v=vs.85).aspx|target='_blank']
</pre>