active directory Username changes in AD

[GhostRiot]

Hi all,

Was just wondering how some of the network/system administrators out there handle the occasional username changes in AD? At my work we use the pretty standard naming schema of Domain\Firstname.Lastname for a users login.

Now the issue arises whenever a person gets marries or otherwise changes their legal name, and want their Windows Login/Email to follow suit. We are on Gmail now, so that parts not a big deal. However Alot of our users store a pretty significant amount of data on their local machine. So whenever we change their username, we also have to change the folder name for their Windows profile, as well as change the registry parameters for their profile in regedit.

Anyone else find this annoying? Anyone have an easy solution? Using a different naming schema is out of the hat for consideration, as we currently have 500+ users company wide using the same schema, and Im not nearly important enough to try to push a change of that magnitude. Just wondering what you guys do in this situation. Use a script? App? Or just flat out refuse the name change request? Lol, lets discuss! 

[Blake]

9 hours ago, GhostRiot said:

Hi all,

Was just wondering how some of the network/system administrators out there handle the occasional username changes in AD? At my work we use the pretty standard naming schema of Domain\Firstname.Lastname for a users login.

Now the issue arises whenever a person gets marries or otherwise changes their legal name, and want their Windows Login/Email to follow suit. We are on Gmail now, so that parts not a big deal. However Alot of our users store a pretty significant amount of data on their local machine. So whenever we change their username, we also have to change the folder name for their Windows profile, as well as change the registry parameters for their profile in regedit.

Anyone else find this annoying? Anyone have an easy solution? Using a different naming schema is out of the hat for consideration, as we currently have 500+ users company wide using the same schema, and Im not nearly important enough to try to push a change of that magnitude. Just wondering what you guys do in this situation. Use a script? App? Or just flat out refuse the name change request? Lol, lets discuss! 

I'm pretty sure you can just change the name in AD. Not a big deal, windows profiles identify the user based on SID not what you tell the user they UPN name is. Not sure about Gmail (i am sure it will be the same however), but with exchange you just need to change the primary email address to the new UPN. If you want you can leave the old UPN as an alias to the new account that way they still get their old emails.

 

Users logging in should still have all access to their old documents etc.

 

Who knows you might be correct, but we tell our staff that anything stored on the local system is not backed up, so they don't really 'seem' to complain when we re-deploy new computers and forgo using the USMT.

[twisties]

We were always a bit gun shy changing people's names. We had a split among the sysadmins, half in the "just change their name, windows will sort it out" camp, and the other half in the "I don't trust windows to do it right" camp.

We compromised in the end and just renamed the display/first/last names and told them to suck eggs as far as the actual username (samAccountName) went. This meant for anyone looking, the name was changed, but the user just had to 'login' with the original.

[leadeater]

7 hours ago, Blake said:

I'm pretty sure you can just change the name in AD. Not a big deal, windows profiles identify the user based on SID not what you tell the user they UPN name is. Not sure about Gmail (i am sure it will be the same however), but with exchange you just need to change the primary email address to the new UPN. If you want you can leave the old UPN as an alias to the new account that way they still get their old emails.

 

Users logging in should still have all access to their old documents etc.

 

Who knows you might be correct, but we tell our staff that anything stored on the local system is not backed up, so they don't really 'seem' to complain when we re-deploy new computers and forgo using the USMT.

@GhostRiot Changing username works fine, I have never had to do anything you have described. The Active Directory identifier for user accounts is the SID and GUID, the human readable parts are just for us. Sure you have to be extremely careful when changing username but this should be scripted to prevent errors and ensure consistency.

 

In saying this for site's I have managed in the past where they follow my set standards I do not change usernames, I would always create a new user account and migrate all files and security permissions (scripted of course). This was only possible since absolutely everything is security group based security, nothing is ever applied to a user account. There is always a very small amount of applications that couldn't be handled nicely by scripts, typically financial applications since they are, from a system administration point of view, always written like garbage and never integrated properly with AD or use AD security groups (I can see their justification for not doing so).

 

Also personally I am a big believer that user accounts should not be based on any part of their name, most places have an employee ID of some kind so this would be my preferred AD user account name as it will never change. Never got anyone outside of IT to agree to that one though.

[GhostRiot]

3 hours ago, leadeater said:

@GhostRiot Changing username works fine, I have never had to do anything you have described. The Active Directory identifier for user accounts is the SID and GUID, the human readable parts are just for us. Sure you have to be extremely careful when changing username but this should be scripted to prevent errors and ensure consistency.

 

In saying this for site's I have managed in the past where they follow my set standards I do not change usernames, I would always create a new user account and migrate all files and security permissions (scripted of course). This was only possible since absolutely everything is security group based security, nothing is ever applied to a user account. There is always a very small amount of applications that couldn't be handled nicely by scripts, typically financial applications since they are, from a system administration point of view, always written like garbage and never integrated properly with AD or use AD security groups (I can see their justification for not doing so).

 

Also personally I am a big believer that user accounts should not be based on any part of their name, most places have an employee ID of some kind so this would be my preferred AD user account name as it will never change. Never got anyone outside of IT to agree to that one though.

Its uncommon but there's been at least a couple instances where after changes to a username in AD, the machine would generate a temporary profile for the user upon the next sign in. Once it got to that point, seemed the only resolution was to rename the profile (Ex. john.doe.OLD) and then delete the corresponding registry under Hkey Local machine>software>microsoft>windows nt>currentversion>profile list.

Then upon logging in with the new username, the machine would populate a new profile, then Id just transfer all the docs from the renamed profile into that folder.  Not sure what the variable is that's causing that issue, because as you said, I've also just pushed the changes via AD and never had any issues, at least no issues that were reported. As a precaution I usually just change the profile name in the local registry and the profile name, and I haven't had any problems since I started doing that.

Like you said though A: Shouldn't be using the persons name as a username to begin with. And also B: At least my my work, none of my users should have any files stored locally anyways... we provide network attached storage for them to use, and most of the applications they use are cloud based. But alas that's just stubbornness. I haven't been in the industry long by comparison to most, but I picked up pretty quickly that nobody outside of IT follows the guidelines we set anyways, regardless how proactive you try to be. But if everything ran smoothly all the time we wouldn't have jobs... so I usually try to refrain from complaining lol.

[leadeater]

37 minutes ago, GhostRiot said:

I haven't been in the industry long by comparison to most, but I picked up pretty quickly that nobody outside of IT follows the guidelines we set anyways, regardless how proactive you try to be. But if everything ran smoothly all the time we wouldn't have jobs... so I usually try to refrain from complaining lol.

Yep that is a common theme. 99.99999999999999999% of faults on user devices are self inflicted..... sighhhhhhhhhh.

 

P.S. I don't always follow my own guidelines so I really can't complain too much either 

[Mikensan]

Like others have mentioned, we change the username / display name / new primary alias for exchange leaving the old for obvious reasons.

 

The users never see their full path in our environment, fairly locked and dumbed down. In other environments I worked for we would change their network drive folder name, but as far as the windows profile... we didn't care. We did not permit them to write to the local disk (code of conduct sort of thing, with enough effort they certainly could) so if they complain then they're admitting they're saving things locally.