Re: User Naming conventions - Active directory Windows 2003

On Feb 9, 2008 10:19 AM, WALI <hkhasgiwale@xxxxxxxxx> wrote:

Current scenario:

AD user login name 'firstname.lastname'
user email account; 'firstname.lastname@xxxxxxxx'
email display name: lastname, firstname

In case of duplicates found within domain:

New AD user login name 'firstname.lastname123'. Old account remains the
same.
(numerical values are added infront of the new user account)
user email account; 'firstname.lastname123@xxxxxxxx'
email display name (GAL): lastname, firstname, middle initial (for both old
and new user - mutually agreed)

Disadvantages of current convention:
- Login accounts same as email IDs leads to a situation where looking at
internally published email listing, it's easy to guess user's AD login
account.
- A malicious user can lead someone else's account to lock out condition by
trying wrong password 5 times, as that's the 'Account lockout policy'
setting.
- Duplicates are not making sense.

Any advise!!??

Sure. Don't panic, it's no big deal. See, for example, psgetsid.exe
from www.microsoft.com/sysinternals. Once you have the domain prefix
of your own (non-administrator) SID, it's trivial to use a tool like
this to get AD IDs by simply incrementing the SID. For the
Administrator account, it's even easier, as that account always ends
in 500.

What you need instead is a proper auditing/notification setup. If
someone with an IP address or machine name from your Switzerland
office is locking out or trying out passwords against an account in
your British office, you should be notified. If an account is
frequently and consistently getting locked, or if there are an
abnormal number of account lockouts in general, your system should
notifiy you. That's the better way of doing things.

It's much better and simpler to ensure proper length and complexity of
passwords, and keep the IDs simple and easy to remember. At my
$medium-sized-employer we went from a very obscure naming scheme
(FI+MI+LI+4digits) to one that was much easier to use (FI+LName), and
it's much easier to use and administer now.

Just remember, passphrases (I actually use whole sentences) are easier
to remember and easier (if a bit more time-consuming) to type. Crank
up the length to something more than 15, and you should be good to go.

Kurt

Relevant Pages

  • User Naming conventions - Active directory Windows 2003
    ... New AD user login name 'firstname.lastname123'. ... Old account remains the ... email display name: lastname, firstname, middle initial (for both old ... Duplicates are not making sense. ...
    (Security-Basics)
  • Re: XP User Accounts
    ... Limited access. ... but my User login password as ... Set a password in the BIOS that must be entered before ... the built-in Administrator account. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: XP User Accounts
    ... My 14 year old found a way to not only change this, but my User login ... Also set the Supervisor password in the BIOS so BIOS ... to access the built-in Administrator account. ... Please understand that these are technical responses to what is ...
    (microsoft.public.windowsxp.security_admin)
  • RE: User Naming conventions - Active directory Windows 2003
    ... user email account; 'firstname.lastname@xxxxxxxx' ... email display name: lastname, firstname ... AD user login name 'firstname.lastname' ...
    (Security-Basics)
  • Re: user account
    ... into your user login without a password and then ... the user has the safe mode also password protected. ... >> XP won't let you delete all admin accounts so this should be some ... To login as this account, ...
    (microsoft.public.windowsxp.help_and_support)
Quantcast