RE: User Naming conventions - Active directory Windows 2003

["Lubrano di Ciccone, Christophe (DEF)" <diciccone () ppg com>]

Depending on how large is your organization, how your security stuff is handled and managed, if your AD is worldwide or 
not, but you may use unique ID based on this logic :
 AD user login name 'xxxxyyyyy'
 user email account; 'firstname.lastname () mail com'
 email display name: lastname, firstname 

Where xxxx is a range of alphabetic caracter coding the Business Unit or the dept & yyyyy is a incremental number 
starting at 00001 til 99999; You may consider to not reuse an ID for evident reason. And if 99999 is not enough use 
000001 til 999999.

Christophe

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of WALI
Sent: Saturday, February 09, 2008 7:20 PM
To: security-basics () securityfocus com
Subject: User Naming conventions - Active directory Windows 2003


 Current scenario:

 AD user login name 'firstname.lastname'
 user email account; 'firstname.lastname () mail com'
 email display name: lastname, firstname

 In case of duplicates found within domain:

 New AD user login name 'firstname.lastname123'. Old account remains the
 same.
 (numerical values are added infront of the new user account)
 user email account; 'firstname.lastname123 () mail com'
 email display name (GAL): lastname, firstname, middle initial (for both old
 and new user - mutually agreed)

 Disadvantages of current convention:
 - Login accounts same as email IDs leads to a situation where looking at
 internally published email listing, it's easy to guess user's AD login
 account.
 - A malicious user can lead someone else's account to lock out condition by
trying wrong password 5 times, as that's the 'Account lockout policy'
 setting.
 - Duplicates are not making sense.

 Any advise!!??