Windows – User principal name vs SAM account name

active-directoryuser-accountswindowswindows-server-2012-r2

I am confused between the user principal name (UPN) and SAM account name (SAM). Heres what i know

SAM-

  1. Pre-windows name, for backward compatibility with Windows NT machines etc.

  2. DOMAIN/USERA, looks for USERA inside the domain DOMAIN, hence it is unique in
    the domain.

  3. 20 characters long.

UPN-

  1. In the email style format(easier for the user to remember).

  2. No character limit.

  3. UPN is the same even if the domain is restructured, for example, even if the
    the user having UPN USERB@DOMAIN.COM, is not in domain DOMAIN but in DOMAIN B
    the user can still long because the UPN refers to the Global Catalog(GC) and
    logs the user in.

But I feel like I am not too clear about this. It would be really helpful if anyone has a better idea of how these two work, and could explain.

Which login method does windows user to log the user on? UPN or SAM?

Does SAM do nothing special other than backward compatibility?

So is it possible if I all my dcs are windows server 2012 R2, I theoretically dont need SAM account name( I still have to use it, I know, but theoretically)
anymore?

I have been researching from days now and any detailed explanation, link or article, example would be appreciated.

Best Answer

When it comes to Winlogon, you can use either. It's just a different way of stating the identity of the user account.

The SAM Account Name itself is just the username. In this case, USERA. When you add the domain, like DOMAIN\USERA, it becomes what is referred to as a down-level logon name. The SAM Account Name will always be used in the down-level logon name, where the UPN can be different.

Where would the UPN be different? Like you've said, the character limit can do it. You might also have a different domain for your Active Directory, like company.local, than your emails, company.com. Asking people to logon with "bob@company.local" then becomes confusing.

Which is better for users to use? Depending on what applications you have in use, you may prefer one or the other. For example, some systems may require users to logon with their UPN explicitly, or some legacy systems may only accept SAM Account Names.

Related Topic