Re: Unique User Account Across Forest

1. No.

2. Yes, look at the various provisioning tools, Quest's Active Roles Server is expensive but good for this kind of thing. Letting a bunch of different people manage userids natively like that is a disaster waiting to happen. If you have Exchange running I am surprised you haven't run into blow ups already.

3. Likely, some may share, others may not. Generally the solution is to stop it up front, not try to chase them down after the fact.

4. As long as the UPN is unique, it doesn't matter what it is. You don't even have to register the suffixes for normal single forest authentication, you can do it ad hoc on the fly, it just won't show up in the GUI.

Overall, if your forest is truly large, you need to look at provisioning tools. Delegation of AD is nice but it is missing a lot of key features like business rules and triggers and simple consolidated auditing. Most large companies that I deal with, 50,000 seats would be a small company to me, use some form of provisioning tools. Those that don't are a trainwreck. Once an environment exceeds a couple of thousand users it is generally silly to try and manage it through ADUC and the other native tools, they really aren't designed to properly and efficiently manage at that scale.

joe



--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm


Stan wrote:
Hi I am wondering if someone can help me ...

We have a large forest with 3 regional domains connected to a ADROOT domain.
With AD User administration delegated to regional offices.
Each office (approx 30+) can create user accounts and manage groups, etc.
Typically userPrincipalName and sAMAccountName are the same

I know with AD Domain a user has to have a unique sAMAccountName and within a Forest userPrincipalName@DomainName makes the UPN unique.

My questions are :

1) We have an Global application which requires a unique sAMAccountName across the forest. Is there any way I can configure AD to have unique sAMAccountName across the forest, i.e. all child domains ?

2) If (1) is not possible are there any tools available in the open market which provide this feature ?

3) Has anyone devloped any tools or scripts to find duplicate sAMAccountName accounts across a forest ?

4) In AD we can add UPN Suffix so if we had a user in domain FredBlogs@xxxxxxxxxxxxxxx we can add UPN Suffix so the user could login as FredBlogs@xxxxxxx Can someone confirm how this would work if we had duplicate names such as FredBlogs@xxxxxxxxxxxxxxx and FredBlogs@xxxxxxxxxxx and FredBlogs@.ccc.com ? There must be a way to direct correct names to domains.

Many thanks for you help ... Happy holidays ;-) Stan
.

Loading