3.1.1.4.5.27 msDS-PrincipalName

The msDS-PrincipalName attribute has different behavior on AD DS and AD LDS.

Let TO be the object from which the msDS-PrincipalName attribute is being read.

For AD DS, the value of TO!msDS-PrincipalName is either (1) the NetBIOS domain name, followed by a backslash ("\"), followed by TO!sAMAccountName, or (2) the value of TO!objectSid in SDDL SID string format ([MS-DTYP] section 2.4.2.1).

For AD LDS, let OBJSID be the value of TO!objectSid. If OBJSID is the SID of a security principal of the computer on which Active Directory is running, then TO!msDS-PrincipalName is the NetBIOS computer name, followed by a backslash ("\"), followed by the name of the security principal. If the computer on which Active Directory is running is a member of a domain, and OBJSID is a SID for a security principal S in that domain, then TO!msDS-PrincipalName is the NetBIOS domain name, followed by a backslash ("\"), followed by S!sAMAccountName. Otherwise, the value of TO!msDS-PrincipalName is the value of TO!objectSid in SDDL SID string format ([MS-DTYP] section 2.4.2.1).