Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What Active Directory field do I use to uniquely identify a user?

I have an Asp.net MVC project authenticating through AD. I would like to store audit information in tables for the current logged in user. What should I be storing in the database? I am currently using SamAccountName for my membership and role providers. Should I be using this? Should I use the more verbose and modern UserPrincipalName? What if we eventually end up using multiple domains?

What about Guid? Guid would seem like the obvious choice but I know nothing about it. Why is it nullable? Does this value change? What is it used for?

Update

According to SID vs. GUID ...

The reason for using SIDs at all, and not GUIDs, is for backward compatibility. Windows NT uses SIDs to identify users and groups in ACLs on resources.

SIDs will actually change if you move a user to a new domain, the GUID will remain constant. It looks to me like GUID is the way to go unless you intend to authenticate against a NT4 AD server.

I'm not sure what to do here as I cannot accept my own answer for 2 days. Most in-depth explanation wins?

like image 971
Jim Mitchener Avatar asked Dec 15 '09 23:12

Jim Mitchener


People also ask

What is the unique identifier in Active Directory?

The SID (Security IDentifier) is a unique ID number that a computer or domain controller uses to identify you. It is a string of alphanumeric characters assigned to each user on a Windows computer, or to each user, group, and computer on a domain-controlled network such as Indiana University's Active Directory.

How can we identify a user in Active Directory?

Open “Active Directory Users & Computers” on the Domain Controller. Select “Built-in” container, right-click on any of the above groups in the right pane, and open its “Properties” windows. Go to the “Members” tab; there you will see all members of this group. All are privileged users.

What is the UPN field in Active Directory?

In Active Directory, the User Principal Name (UPN) attribute is a user identifier for logging in, separate from a Windows domain login. For more, see Microsoft's User Naming Attributes . The format of the UPN attribute at IU is [email protected] .

What is the difference between UPN and SAMAccountName?

The samAccountName is the User Logon Name in Pre-Windows 2000 (this does not mean samAccountName is not being used as Logon Name in modern windows systems). The userPrincipalName is a new way of User Logon Name from Windows 2000 and later versions.


2 Answers

According to SID vs. GUID ...

The reason for using SIDs at all, and not GUIDs, is for backward compatibility. Windows NT uses SIDs to identify users and groups in ACLs on resources.

That being said, I've decided to go with GUID. SIDs will actually change if you move a user to a new domain, the GUID will remain constant. So long as you don't plan on running your application against an NT4 AD server, GUID is the way to go.

like image 144
Jim Mitchener Avatar answered Oct 03 '22 21:10

Jim Mitchener


You might want to use the SID -- that's what the OS itself uses in most cases. SIDs are also unique across domains or workgroups.

The problem with user name alone is that it can be changed, whereas the SID is fixed.

like image 30
RickNZ Avatar answered Oct 03 '22 21:10

RickNZ