Question about AD account usernames

Discussion in 'Windows Server 2003 / 2008 / 2012 / 2016' started by dalsoth, Feb 7, 2009.

  1. dalsoth

    dalsoth Kilobyte Poster

    325
    14
    54
    Hi guys

    I may sound like a real newbie here but i just have never come across this before. I am going through stuff on the 70-290 MS Press book and i have been messing about myself creating additional users and things to enforce my understanding of the way MS do things.

    The confusion comes from where i have users i have created with names such as jbloggs who i log on to a client machine with that username and password.

    I also have created some accounts such as danielle.tiedt and hank.carbeck from the MS lessons.

    When i try to log on to a client machine with the username danielle.tiedt i get nowhere. When i try [email protected] it works. I checked the username in the account settings and yes everything is fine and i would expect the @contoso.com bit would work. I would also expect the dienelle.tiedt bit would work on it's own as it does on users i have created myself.

    Is it because they have a period in between the first and last names? Really simple answer i expect but has stumped me.

    Anyone on here able to enlighten me?
     
    Certifications: MCSE, MCP, MCDST, MCSA, ITIL v3
    WIP: MCITP EA
  2. MLP

    MLP Kilobyte Poster

    305
    19
    59
    Hi Dalsoth

    On the login window, have you changed the drop down box that's labeled 'Log On To' from the client name to the domain name? It sounds like the machine is looking for danielle.tiedt in it's local users database, rather than in Active Directory. By specifying the @contoso.com part of the username, you are telling the client that this is a domain account.

    Maria
     
    Certifications: HND Computing
  3. Sparky
    Highly Decorated Member Award 500 Likes Award

    Sparky Zettabyte Poster Moderator

    10,718
    543
    364
    Also make sure the IP addresses are setup correctly. The DNS IP of the PC must be pointing at the DC you are logging into to make sure the whole logon process is as smoth as possible.

    As said make sure you are logging into the domain and not locally.

    Also what error message do you get when you try to logon to the PC with just the username?
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) MS-900 AZ-900 Security+ Network+ A+
    WIP: Microsoft Certs
  4. dalsoth

    dalsoth Kilobyte Poster

    325
    14
    54
    Hi thanks for the replies.

    The DNS of the client XP machine is set to the Domain controller and i can log on to the domain from the drop down menu when i use other accounts such as the jbloggs.

    I tried to log on to both the contoso.com and the client1 drom the drop down using the danielle.tiedt name and was denied. I again tried with the @contoso.com on the end and it works....

    If the username in the account object in AD says danielle.tiedt and the machine is part of the network in AD and i select log on to contoso on the log in box surely i should not get an error saying "the system could not log you on. Make sure your user name and domain are correct blabla

    Im still confused lol
     
    Certifications: MCSE, MCP, MCDST, MCSA, ITIL v3
    WIP: MCITP EA
  5. dalsoth

    dalsoth Kilobyte Poster

    325
    14
    54
    Weird thing is that i have created a new user called user1 in the same OU and they can log on with no problem to the domain. I also just created another user called user.2 and they had no problem either and did not have to use the @contoso.com bit.

    Perhaps something got screwed up when i created them earlier in another practice.

    I just tried dtiedt as the username instead of danielle.tiedt as i wondered if the pre 2000 logon name would work and it did. The functional level of the domain is windows 2000 mixed. Still does not explain to me why it is not working though. The account logon name is danielle.tiedt.

    I deleted the local profile from the machine as i noticed it had created a folder earlier called dtiedt and retried with danielle tiedt and still had no luck.

    I hate her name now. :eek:
     
    Certifications: MCSE, MCP, MCDST, MCSA, ITIL v3
    WIP: MCITP EA
  6. craigie

    craigie Terabyte Poster

    3,020
    174
    155
    In AD Users & Computers can you confirm the following:

    General - First Name & Last Name = Display Name
    Account - User Logon Name = danielle.tiedt with the drop down being your domain
    Account - User Logon Name pre 2000 domain\ danielle.tiedt

    If all of that is beautiful, I would delete the accounts and then re-add them.
     
    Certifications: CCA | CCENT | CCNA | CCNA:S | HP APC | HP ASE | ITILv3 | MCP | MCDST | MCITP: EA | MCTS:Vista | MCTS:Exch '07 | MCSA 2003 | MCSA:M 2003 | MCSA 2008 | MCSE | VCP5-DT | VCP4-DCV | VCP5-DCV | VCAP5-DCA | VCAP5-DCD | VMTSP | VTSP 4 | VTSP 5
  7. dalsoth

    dalsoth Kilobyte Poster

    325
    14
    54
    I created her using csvde earlier and the display name was not added as part of this.
    The user logon name is danielle.tiedt
    The pre win2000 logon name was domain\dtiedt

    I just added the display name and it made no difference to log on which i expected.
    I just changed the pre 2000 logon to danielle.tiedt and it worked.

    Does that mean my usernames are only working for the pre 2000?

    I just changed user.2 logon name to an alternative of user2 on the pre 2000 box and found it would not log me on with the user.2 although did previously so it appears that only the pre2000 names are the ones working.

    Is this because im in mixed mode? Is that normal for mixed mode?

    Thanks for the help.
     
    Certifications: MCSE, MCP, MCDST, MCSA, ITIL v3
    WIP: MCITP EA
  8. craigie

    craigie Terabyte Poster

    3,020
    174
    155
    I have not ever been in an environment running mixed mode so couldnt say.

    Upgrade to Native mode and change the name back to what it was and see what happens!
     
    Certifications: CCA | CCENT | CCNA | CCNA:S | HP APC | HP ASE | ITILv3 | MCP | MCDST | MCITP: EA | MCTS:Vista | MCTS:Exch '07 | MCSA 2003 | MCSA:M 2003 | MCSA 2008 | MCSE | VCP5-DT | VCP4-DCV | VCP5-DCV | VCAP5-DCA | VCAP5-DCD | VMTSP | VTSP 4 | VTSP 5
  9. dalsoth

    dalsoth Kilobyte Poster

    325
    14
    54
    Yeh i will give that a go after the rugby i think. It was in mixed mode by default after install so i supposed i should have upgraded it as there are no non 2003 servers on the network.

    Will give it a try and let you know.

    Thanks for the advice.:D
     
    Certifications: MCSE, MCP, MCDST, MCSA, ITIL v3
    WIP: MCITP EA
  10. dalsoth

    dalsoth Kilobyte Poster

    325
    14
    54
    Raised the functional domain level to win 2003 and tried with an old and new account making sure the user logon name was different to the pre 2000 systems log on name.

    In each case only the name in the pre 2000 login box works.

    Is this standard? I think i have got something screwed as i'm certain it should be the other way around now i have raised the domain functional level at least?

    Am i cracking up or doing something stupid? Or both?
     
    Certifications: MCSE, MCP, MCDST, MCSA, ITIL v3
    WIP: MCITP EA
  11. Sparky
    Highly Decorated Member Award 500 Likes Award

    Sparky Zettabyte Poster Moderator

    10,718
    543
    364
    Are you missing something out when using csvde? If you can logon with an account you have created manually then the domain looks to be fuctioning ok.

    Perhaps open both the user objects side by side and compare how they are configured.
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) MS-900 AZ-900 Security+ Network+ A+
    WIP: Microsoft Certs
  12. dalsoth

    dalsoth Kilobyte Poster

    325
    14
    54
    It's not csvde as i have created new accounts in AD manually and changed the account login name to something different than the pre 2000 version and they fail to log on.

    It appears that only the pre 2000 names work on the system (unless i use the full [email protected]). The only reason i did not notice this on other accounts i had created is because i usually make sure they match the same name on the pre 2000 to avoid confusion. If they match then you would not know which is actually used would you?

    My question then becomes, does the pre2000 logon name have to match the non 2000 logon username on a normal win 2003 AD network? Is this standard?

    If anyone has any test networks and can test this by changing a username to something other than the pre 2000 name and test i would appreciate it. I would delete the local profile on the client before doing so though just to be sure that does not influence the login.

    I should really be moving on through this book but i don't like to be stumped by something until i know why.

    Thanks again for the suggestions.
     
    Certifications: MCSE, MCP, MCDST, MCSA, ITIL v3
    WIP: MCITP EA
  13. craigie

    craigie Terabyte Poster

    3,020
    174
    155
    I would help but I have had to run a ADSIEDIT on one of my DC's which was promoted recently to get it to pass dcdiag. As the upgrade didnt properly change all the delegation Machine Name details.

    Oh the fun of Server 2003....

    Anyways good luck with your studying!
     
    Certifications: CCA | CCENT | CCNA | CCNA:S | HP APC | HP ASE | ITILv3 | MCP | MCDST | MCITP: EA | MCTS:Vista | MCTS:Exch '07 | MCSA 2003 | MCSA:M 2003 | MCSA 2008 | MCSE | VCP5-DT | VCP4-DCV | VCP5-DCV | VCAP5-DCA | VCAP5-DCD | VMTSP | VTSP 4 | VTSP 5
  14. Sparky
    Highly Decorated Member Award 500 Likes Award

    Sparky Zettabyte Poster Moderator

    10,718
    543
    364
    Ahh, so you are changing it manually.

    If you want to change an account you would be best to rename it correctly. If you right click on the account in AD and select rename you can then change the details as needed.
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) MS-900 AZ-900 Security+ Network+ A+
    WIP: Microsoft Certs
  15. dalsoth

    dalsoth Kilobyte Poster

    325
    14
    54
    No it's not that either as i have just created new accounts and have the problem.

    I just created a new user called "user4" and in the pre 2000 name i selected "usertest".

    Result is i try to log on with user4 and password and fail. I try to log on with usertest and succeed. I am only able to log on with user4 name if i follow it up and type the full [email protected].

    I would like to know if this is expected behaviour as it is not something i have ever noticed before. Is it anything to do with kerberos or ntlm authentication? I saw a thread mentioning something about that. Also saw a thread somewhere else saying they could not log on users to the domain on Vista without using the pre 2000 name.

    Any more suggestions to try if this is a problem or could someone here with more experience than i confirm whether this is expected behaviour?

    Thanks
     
    Certifications: MCSE, MCP, MCDST, MCSA, ITIL v3
    WIP: MCITP EA
  16. Sparky
    Highly Decorated Member Award 500 Likes Award

    Sparky Zettabyte Poster Moderator

    10,718
    543
    364
    I believe this is expected behaviour.

    If you look at the (pre Windows 2000) part in the account tab the NETBIOS domain name is listed and this matches up with the domain part at the logon prompt of your PC.

    So when you are on the PC and you have selected to logon to the domain option from the drop down box the credentials you are using are actually contoso\usertest for the username. When you type @contoso.com you are using the fully qualified domain name (FQDN) and therefore using the standard logon name.

    Using the @contoso.com part may come in useful if you have a trust with another domain. Say you configured a full trust with sparky.com and I had a user called user4. If you wanted to log onto the network (ignore the option of which domain you have choson to log onto) then if you put [email protected] then you can be confident you are logging on with the correct account.

    Hope this helps!
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) MS-900 AZ-900 Security+ Network+ A+
    WIP: Microsoft Certs
  17. dalsoth

    dalsoth Kilobyte Poster

    325
    14
    54
    Yeh i believe you are right. It's one of those things that i have never noticed in real world experience as i always default the username to the same as the pre 2000 one. I just never realised the top selection was not the one that was actually being used.

    I guess this is why certification is also good for knowledge. I am filling in the gaps in my knowledge that i would not have done otherwise. Thumbs up i guess to the MS press books for that. Thumbs up to you guys for helping me to get my head around it. Unlearning things that i have taken for being true is harder than learning something new. :D
     
    Certifications: MCSE, MCP, MCDST, MCSA, ITIL v3
    WIP: MCITP EA

Share This Page

Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.