Printout Header
RSS Feed

Attributes for AD Users : sAMAccountName

In the AD attribute sAMAccountName, the account logon name or the user object is stored - in fact the legacy NetBIOS form as used in the naming notation "Domain\LogonName".


LDAP name sAMAccountName
Data type String (max 20)
Multivalue (Array) No
System Flags


Search Flags 0x0D
In Global Catalog? Yes
Attribute ID 1.2.840.113556.1.4.221
AD DB attribute name SAM-Account-Name
ADSI datatype 3 - String(Unicode)
LDAP syntax - Directory String
Used in ... > W2K
Schema Info Microsoft - MSDN

The attribute samAccountName is a mandatory attribute (a MUST attribute) for user objects. It must be provided when you want to create a user - otherwise (the result depends on the OS version of the domain controller) the error -2147016657 respectively 0x8007202f (constraint violation) is returned, or the system creates automatically a random sAMAccountName for the new user.

For the purpose of clarity the sAMAccountName should always be conform to the user principal name (UPN), the modern logon name of a AD User. Hereby the sAMAccountName has to be equal to the prefix part of the attribute "userPrincipalName". an example:

     Name of domain: CERROTORRE (NetBIOS) (DNS)
     sAMAccountName: pfoe
     NetBIOS logon name: CERROTORRE\pfoe

An exception are maybe environments where the users are due to log on to the system with the real email addresses. Here the sAMAccountName can differ from the userPrincipalName:

     Name of domain: CERROTORRE (NetBIOS) (DNS)
     sAMAccountName: pfoe
     NetBIOS logon name: CERROTORRE\pfoe

The Windows logon name has the data type unicode string - never theless there are some restrictions given by the system. The name cannot consist of more than 20 characters and the following characters are NOT allowed for usage:

\   /   [   ]   :   ;   |   =   ,   +   *   ?   <   >   @   "