Share via

Additional suffixes created in the OnPremise AD Object sAMAccountName ?

EnterpriseArchitect 5,761 Reputation points
2023-08-18T04:43:54.53+00:00

I am using Hybrid OnPremise AD DS synched to Azure AD/Entra ID using Azure AD Connect.

All of my AD Domain Controllers OnPremise do not have an internal replication issue.

I wanted to know why in my OnPremise AD group sAMAccountName is now having an additional -random8Digits or -Random11digits number?

Like in the below example:

  • Research & Reporting - New tool-1-309126918 Local Conference-1987343762 Finance Group-1-727083313 Application Group 2-1193550930
  • Legacy Application 1-1-429080683 The DisplayName attribute is not impacted by this -8digits or -11digits suffix or addition, just the sAMAccountName ?
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,939 questions
Microsoft Exchange Hybrid Management
Microsoft Exchange Hybrid Management
Microsoft Exchange: Microsoft messaging and collaboration software.Hybrid Management: Organizing, handling, directing or controlling hybrid deployments.
2,277 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,902 questions
Microsoft Entra
Microsoft Entra
A group of Microsoft multicloud identity and access solutions.
2,555 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
24,279 questions
0 comments
Accepted answer
  1. Marilee Turscak-MSFT 37,191 Reputation points Microsoft Employee
    2023-08-21T22:51:23.41+00:00

    Hi @EnterpriseArchitect ,

    The SamAccountName can have extra digits appended for these reasons:

    Scenario 1:

    If you have multiple users with the same UPN suffix, the SamAccountName is appended with a random guid to keep them unique.  In this scenario, the user should be able to login with the UPN format but not DOMAIN\SamAccountName format (which you can verify by testing). 

    So you may have another user whose UPN prefix matches the username and was synchronize and took the DOMAIN\username account format. This is why we recommend signing in with UPN format not Domain\samaccountname in https://docs.microsoft.com/en-us/azure/active-directory-domain-services/synchronization#attribute-synchronization-and-mapping-to-azure-ad-ds

    Solution:

    You need to identify the conflicting AAD DS user object (by SamAccountName) or the conflicting AAD user (by mailNickName) and remove the conflict by either deleting or updating the AAD user's mailNickname and then allow AAD DS to resync the users.  If no conflicting users are found, then potentially updating the Azure AD user's mailNickname to something temporary, waiting 10-15 minutes for that to sync to AAD DS and then updating the Azure AD user's mailNickName back to the original name and allowing that to sync to AAD DS will fix the issue.

    Scenario 2:

    If the Azure AD user's mailNickName attribute is greater than 20 characters, the random GUID characters will get added to the SamAccountName.

    Solution:

    Shorten the Azure AD user's mailNickName to < 20 characters

    The two scenarios described above are the most likely reasons for this issue. The only other possibility is that there could be unsupported characters in the name, or the name could be empty.

    Let me know if this helps and if you have further questions.

    If the information helped you, please Accept the answer. This will help us as well as others in the community who may be researching similar information.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.