Microsoft Windows graphic

Object names

Every object in Active Directory is an instance of a class defined in the schema. Each class has attributes that ensure:

For more information about schema, classes, and attributes, see Schema.

Each object in Active Directory can be referenced by several different names. Active Directory creates a relative distinguished name and a canonical name for each object based upon information that was provided when the object was created or modified. Each object can also be referenced by its distinguished name, which is derived from the relative distinguished name of the object and all of its parent container objects.

Security principal objects are Active Directory objects that are assigned security IDs (SIDs) and can be used to log on to the network and can be assigned access to domain resources. An administrator needs to provide names for security principal objects (user accounts, computer accounts, and groups) that are unique within a domain.

Consider what occurs when a new user account is added to your directory. You provide a name the user must use to log on to the network, the name of the domain that contains the user account, and other descriptive data, such as first name, last name, telephone number and so on (called attributes). All this information is recorded in the directory.

The names of security principal objects can contain all Unicode characters except the special LDAP characters defined in RFC 2253. This list of special characters includes: a leading space; a trailing space; and any of the following characters: # , + " \ < > ;

Security principal names must conform to the following guidelines:

Type of account name Maximum size Special limitations
User account Computers running Windows Server 2003 and Windows 2000 can use a user principal name (UPN) for a user account. Computers running Windows NT 4.0 and earlier are limited to 20 characters or 20 bytes depending upon the character set; individual characters may require more than one byte. A user account cannot consist solely of periods (.) or spaces, or end in a period. Any leading periods or spaces are cropped. Use of the @ symbol is not supported with the logon format for Windows NT 4.0 and earlier, which is DomainName\UserName. Windows 2000 logon names are unique to the domain and Windows Server 2003 logon names are unique within the forest.
Computer account NetBIOS = 15 characters, or 15 bytes depending upon the character set; individual characters may require more than one byte.

DNS = 63 characters or 63 bytes depending upon the character set and 255 characters for a fully qualified domain name (FQDN) individual characters may require more than one byte.

A computer account cannot consist solely of numbers, periods (.), or spaces. Any leading periods or spaces are cropped.
Group account 63 characters, or 63 bytes depending upon the character set; individual characters may require more than one byte. A group account cannot consist solely of numbers, periods (.), or spaces. Any leading periods or spaces are cropped.

Note

From the information provided by the person who creates the security principal object, Active Directory generates a security ID (SID), and a globally unique ID used to identify the security principal. Active Directory also creates an LDAP relative distinguished name, based on the security principal name. An LDAP distinguished name and a canonical name are derived from the relative distinguished name and the names of the domain and container contexts in which the security principal object is created.

If your organization has several domains, it is possible to use the same user name or computer name in different domains. The SID, globally unique ID, LDAP distinguished name, and canonical name generated by Active Directory will uniquely identify each user, computer, or group in the forest. If the security principal object is renamed or moved to a different domain, the SID, LDAP relative distinguished name, LDAP distinguished name, and canonical name will change, but the globally unique ID generated by Active Directory will not change.

Security principal objects, such as user accounts, may be renamed, moved, or contained within a nested domain hierarchy. To reduce the effect of renaming, moving, or assigning user account names within a nested domain hierarchy, Active Directory provides a method for simplifying user logon names. For information about user logon names, see Active Directory naming and To add user principal name suffixes, and User and computer accounts.