Blank User Logon Names

[David Adner]

I've noticed off and on how some AD accounts don't have the 'User logon
name' field filled in on the Accounts tab when viewing their
properties. The users appear to work fine and everything, but I've
always been curious if this could lead to an issue down the road or why
it's even possible to have the field blank. I assume when it's blank,
it defaults to the pre-2000 name?

 

[Ace Fekay [MVP]]

In

I've noticed off and on how some AD accounts don't have the 'User
logon name' field filled in on the Accounts tab when viewing their
properties. The users appear to work fine and everything, but I've
always been curious if this could lead to an issue down the road or
why it's even possible to have the field blank. I assume when it's
blank, it defaults to the pre-2000 name?

Sounds like it was upgraded from NT4. To populate them back, you would need
to either script it or do it manually.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[David Adner]

These are all fresh 2000 installs. For example, the "local"
Administrator that was on the DC prior to promotion that's now in AD has
a blank user logon name field. Gues

 

[David Adner]

These are all fresh 2000 installs. For example, the "local"
Administrator that was on the DC prior to promotion that's now in AD has
a blank user logon name field. Guest is the same. Perhaps these are
special circumstances since they were on the server prior to promotion.

Is it a problem that some accounts have the field blank?

 

[Ace Fekay [MVP]]

In

These are all fresh 2000 installs. For example, the "local"
Administrator that was on the DC prior to promotion that's now in AD
has
a blank user logon name field. Guest is the same. Perhaps these are
special circumstances since they were on the server prior to
promotion.

Is it a problem that some accounts have the field blank?

"Ace Fekay [MVP]" wrote:

I assume you mean the UPN is missing and not the legacy name. That's normal.
I thought you meant all your accounts.

I'm assuming you are logging in with this legacy method (which doesn't use
the UPN):
username
password
Netbios domainname

However this does:
(e-mail address removed)
password
(you'll notice the domain name grays out)

The UPN method requires a GC and a DNS query to logon. The old method
doesn't. It also requires the UPN name in account properties. Normally we
teach our users to use the UPN. This allows to logon across subnets/other
domains without Netbios. If using the legacy method, you'll need a Netbios
resolution solution, such as WINS.

I wouldn't worry about the Guest account. Leave it disabled.
--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[David Adner]

I'm playing in a test environment. I figure if I try breaking things,
I'll learn better trying to fix them.

I created a new account and wiped out its UPN name in account
properties. Then I tried logging on with it using (e-mail address removed) and
it worked. Do you think that's because it used to have a UPN name? Or
it's just smart enough to know what's going on?

 

[Ace Fekay [MVP]]

In

I'm playing in a test environment. I figure if I try breaking things,
I'll learn better trying to fix them.

I created a new account and wiped out its UPN name in account
properties. Then I tried logging on with it using (e-mail address removed) and
it worked. Do you think that's because it used to have a UPN name?
Or it's just smart enough to know what's going on?

Probably either cached credentials. Did you already try it, then delete it,
then try it again? BY default a machine will cache the credentials for upto
10 logon attempts (in Local Security Policy). Try it from a different subnet
(without WINS or an LMHOST entry) and bet you'll find it doesn't work.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[David Adner]

Sorry, should have mentioned that I didn't logon with the account before
trying my test. I created it, went back into its properties to remove
the UPN name, then tried to logon with it for the very first time via
(e-mail address removed) and it worked.

 

[Ace Fekay [MVP]]

In

Sorry, should have mentioned that I didn't logon with the account
before trying my test. I created it, went back into its properties
to remove
the UPN name, then tried to logon with it for the very first time via
(e-mail address removed) and it worked.

Kind of thinking that it used the suffix and a broadcast to find the DC. And
it worked subsequent times too? Kind of unusual to see it work that way,
especially without the UPN created. DId you do this from the DC or from a
client machine?


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[David Adner]

I tried it from another DC, which is on the same segment. It worked
multiple times. I haven't setup a test client in that Domain yet. I'll
try it in our lab at work where there's a lot more available resources.

 

[Ace Fekay [MVP]]

In

I tried it from another DC, which is on the same segment. It worked
multiple times. I haven't setup a test client in that Domain yet.
I'll
try it in our lab at work where there's a lot more available
resources.

Ok, thanks. Looking forward to what you find from a client.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory