That's my take on it. We leave the account names alone where possible (%firstname%firstlastnameinitial), however we do give the user a choice if they really want to change the initial.
Sometimes the user politics are more important than the technicalities of changing it. Gavin. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Maglinger, Paul Sent: 20 May 2014 22:33 To: '[email protected]' Subject: [NTSysADM] RE: Adding employeeNumber field in ADUC user property window >From a strict IS perspective I see that. >From a user perspective - if you were a woman who went through a particularly >nasty divorce, would you really want to be reminded of that every time you >logged in? -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Free, Bob Sent: Tuesday, May 20, 2014 4:20 PM To: [email protected] Subject: [NTSysADM] RE: Adding employeeNumber field in ADUC user property window I think many (most?) folks' approach is , just don't change samaccountname... If they want a cosmetic name change, there are plenty of name attributes to make them look nice in the GAL and other systems. Personnel numbers have changed here depending on which HR system was in place. Names change...Solutions and systems change... You need a single source of truth across everything...IMHO. We have an NRC requirement for such a single immutable identifier so a scheme was established long ago that establishes their CorpID and UID at account provisioning time. Neither is ever changed or reused. In hindsight, that made it easy for us. We established samaccountname as the attribute mapped to CorpID in AD in the beginning, UPN is also a construct of it, mail, Lync, Unity and on and on.. Before that it was used in NT, Banyan, UNIX , mainframe, email gateways etc etc. My CorpID (samaccountname) shows up in >15 other AD attributes. Heaven knows how many other systems use it. Even if you don't have regulatory requirements for such (yet), it's a good way to go. I guess if you only log into one or 2 systems with your identity it is cool but it sure won't scale in an environment where you have many, many systems consuming the identity. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Maglinger, Paul Sent: Monday, May 19, 2014 3:03 PM To: '[email protected]' Subject: [NTSysADM] RE: Adding employeeNumber field in ADUC user property window That doesn't make me any happier. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Michael B. Smith Sent: Monday, May 19, 2014 4:55 PM To: [email protected] Subject: [NTSysADM] RE: Adding employeeNumber field in ADUC user property window That isn't new :) -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Maglinger, Paul Sent: Monday, May 19, 2014 5:37 PM To: '[email protected]' Subject: [NTSysADM] RE: Adding employeeNumber field in ADUC user property window I'm glad to hear from someone that used it. This is spurred by the discovery that Cisco Unity Connections 10 uses LDAP sync. Funny thing, users get married and divorced and require account name changes. If the association between Unity and AD is based on the samAccountName the association breaks - and you apparently can't just associate the old voicemail account with the new account name. You have to delete and recreate the Unity account. Something else that the sales rep and engineers didn't mention when we were considering this solution. Now looking into using an attribute that won't change and employeeNumber is an option. Powershell is a definite for initially populating the attribute for existing users. I'd still like to have something available that's already familiar with everyone else for new users. -Paul -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Melvin Backus Sent: Monday, May 19, 2014 4:13 PM To: [email protected] Subject: [NTSysADM] RE: Adding employeeNumber field in ADUC user property window I'm guessing you probably found the same one I did. I've been running if for about 5 years now with no "known" ill effects, in case that makes you feel better. We also handle employee type that way too. I agree, a separate tab or being able to expose it on one of the existing tabs would be preferable, but lately I've started using powershell for that sort of thing. -- There are 10 kinds of people in the world... those who understand binary and those who don't. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Maglinger, Paul Sent: Monday, May 19, 2014 5:02 PM To: New NT System Admin List ([email protected]) Subject: [NTSysADM] Adding employeeNumber field in ADUC user property window Is there a way to add a place under say, the General or Organization tab of the user properties to enter the employeeNumber value without having to go into the Attribute Editor and modifying it there? I found an article which would have me put a vb script on the server, and then right-click on the account to set the value. I'm not real crazy about putting a vb script on my domain controller, much less one I downloaded from the net. And I'd like the option to be available on all the DCs. Anyone have any other options? Ideally I'd like to see a place on user's property page in ADUC. -Paul PG&E is committed to protecting our customers' privacy. To learn more, please visit http://www.pge.com/about/company/privacy/customer/ SMP Partners Limited, SMP Trustees Limited and SMP Fund Services Limited are licensed by the Isle of Man Financial Supervision Commission. SMP Accounting & Tax Limited is a member of the ICAEW Practice Assurance Scheme. SMP Partners Limited registered in the Isle of Man, Company Registration No: 000908V Directors: M.W. Denton, M.J. Derbyshire, P.N. Eckersley, S.E McGowan, O. Peck, J.J. Scott, S.J. Turner SMP Trustees Limited registered in the Isle of Man, Company Registration No: 068396C Directors: A.C. Baggesen, M.W. Denton, O. Peck, J.J. Scott, J. Watterson, J. Cubbon SMP Fund Services Limited registered in the Isle of Man, Company Registration No: 120288C Directors: V. Campbell, M.W. Denton, P.N. Eckersley, D.A. Manser, S.E McGowan, O. Peck, J.J. Scott, R.K. Corkill SMP Accounting & Tax Limited registered in the Isle of Man, Company Registration No: 001316V Directors: I.F. Begley, A.J. Cowley, A.J. Dowling, P. Duchars, P.N. Eckersley, J.J. Scott, S.J. Turner SMP Capital Markets Limited registered in the Isle of Man, Company Registration No: 002438V Directors: M.W. Denton, M.J. Derbyshire, D.F Hudson, S.E McGowan, O. Peck, J.J. Scott. SMP Partners Limited, SMP Trustees Limited, SMP Fund Services Limited, SMP Accounting & Tax Limited and SMP Capital Markets Limited are members of the SMP Partners Group of Companies. This email is confidential and is subject to disclaimers. Details can be found at: http://www.smppartners.com/disclaimer.asp ______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________
