locked
changing active directory login name RRS feed

  • Question

  • So the guys at my company have been changing the AD login names for women that get married. For example Jenny Smith got married to Bob Right, AD\jsmith changes to AD\jright.  This doesn't cause any problems until we changed servers and used microsoft's login transfer script.  It scripts out Jenny's login as AD\jsmith, and then when you run the script it says:

    Msg 15401, Level 16, State 1, Line 3
    Windows NT user or group 'AD\jsmith' not found. Check the name again.

    I know someone else has had to deal with this, is this just a bug?

    also if i were to add AD\jright when AD\jsmith is already on the server it says AD\jright is already added to the security.
    Monday, January 25, 2010 6:51 PM

Answers

  •    The root cause for this problem is that when a Windows principals is created in SQL Server, we keep a copy of the friendly name (i.e. AD\jsmith) besides the SID (which is used by the internal mechanism to identify the principal for authentication and authorization purposes); the friendly name is used as the name to reference the principal in SQL server. Since this name is a redundant copy and not under the control of the AD, the AD cannot update it when the Windows user name changes in the AD, hence the discrepancy that you mention.

       The SQL Server DBA can take corrective actions to update the account name by issuing an ALTER LOGIN command and set the login with the new matching Windows name. (http://msdn.microsoft.com/en-us/library/ms189828.aspx).

      I hope this information helps, if you have further questions please let us know.

      -Raul Garcia
       SDE/T
       SQL Server Engine


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Monday, January 25, 2010 7:44 PM

All replies

  • so i figured out that the SID doesnt change in AD when you change a user name, that SID is stored inside sql, is there a way to add a user based solely on there SID?
    Monday, January 25, 2010 7:24 PM
  •    The root cause for this problem is that when a Windows principals is created in SQL Server, we keep a copy of the friendly name (i.e. AD\jsmith) besides the SID (which is used by the internal mechanism to identify the principal for authentication and authorization purposes); the friendly name is used as the name to reference the principal in SQL server. Since this name is a redundant copy and not under the control of the AD, the AD cannot update it when the Windows user name changes in the AD, hence the discrepancy that you mention.

       The SQL Server DBA can take corrective actions to update the account name by issuing an ALTER LOGIN command and set the login with the new matching Windows name. (http://msdn.microsoft.com/en-us/library/ms189828.aspx).

      I hope this information helps, if you have further questions please let us know.

      -Raul Garcia
       SDE/T
       SQL Server Engine


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Monday, January 25, 2010 7:44 PM
  • ya i think the only solutions is to ether be part of the process when users change there name or compare the SID to the name in AD.
    Monday, January 25, 2010 8:05 PM
  • What should I do in SQL 2000 if AD user name changed. There is no ALTER LOGIN command in SQL 2000.

    There is a project in our company to change format of AD users from 4-char to 8-char format. The users going to be renamed not re-created, so SID are not going to be changed.

    What should be done on SQL Server level? May I change Syslogins.Name column?

    Should I also take care of SQL Jobs and DTS Packages owner fields? What's else?

    Thank you,

    Vlad

     

    Friday, February 19, 2010 2:43 PM