Windows 2000 Professional on Microsoft Networks

A unique logon name is required for users to gain access to a domain and its resources. In a domain environment, a user is a type of security principal. A security principal is an object to which Windows security is applied in the form of authentication and authorization. Users are authenticated (their identity is verified) at the time they log on to the domain or local computer. They are authorized (allowed or denied access) when they use resources.

A user security principal can have two types of logon names, depending on the users domain or workgroup membership: a SAM account name and/or a user principal name :

• SAM Account Name . A SAM account name is a name that is required for compatibility with Windows NT 4.0 domains and workgroups. In a Windows NT domain or workgroup, every account name must be unique.

• User Principal Name . In a Windows 2000 domain, an account can have a user principal name ** in addition to its SAM account name. The user principal name consists of the user name, the at sign (@), and a user principal name suffix. For example, the user James Smith, who has a user account in the reskit.com domain, might have the user principal name JSmith@reskit.com. The user principal name usually reflects the hierarchical structure of the domain; however, an account administrator might choose an alternative naming convention if the domain structure is complex or is difficult to remember.
  The user principal name is independent of the distinguished name of the user object, which is the name that identifies the object and its location within Active Directory. As it is the distinguished name that differentiates the object, not the SAM or user principal names, two accounts can have the same SAM account name. Additionally, a user object can be moved or renamed without affecting the user principal name and can have multiple user principal names.