Active Directory unsername alias

Hello all,

I wasn't sure where to post this thread, since I don't see a topic dedicated to Active Directory.

Our organization will be changing our AD (and email) ID convention from lastname-firstinitial to firstname.lastname, (i.e. from smithj to john.smith).

No problems making the changes to the accounts and email IDs, however my CIO has a request. He says at his previous job they did the same kind of conversion, and the techs there somehow configured things so that users could login to AD using *either* login ID, and it accessed the same profile.

Now, I've researched this request and I have seen lots of info stating that AD does not support aliases in relation to login IDs. However, my CIO says his old team did it somehow.

Any ideas? Can it actually be done? So far Google has yielded no results. We're using Server 2003 with the latest SP.

As usual, thanks in advance for any and all replies....

i don't think it can be done. a login name should be the same login name. so if you want to change your naming convention, change it in the account's name. you cannot use alias i believe for login names but for emails it is possible.

the conversion you are saying is probably a script that ran to the whole AD and change the name convention of every user.

Tell him that it's a security breach and Microsoft has patched that "feature". Not 100% sure if that's true, but it might work! (some research may be required)

Scripting the name change isn't really the problem, lotsa info out there on that....it's the multiple login ID that's a puzzler. Personally I've never seen it, and as I said I fould several resources on the web stating that Microsoft doesn't support aliases in AD.

But my CIO insists they did it at his previous job...and unlike a lot of upper management my CIO is darned sharp technically. Plus, we discussed it in detail this morning, and I made sure he wasn't confusing this with an Exchange alias...which he wasn't.

So Adam, your suggestion about Microsoft patching this "feature" probably wouldn't work....

Almost wonder if they had him on a roaming profile, and then somehow had both user accounts pointing to a shared path that had a static (or even dynamic) profile stored....?

I Googled around a bit for this but couldn't really find anything.

That's possible. Just because he's a CIO doesn't me know knows what he's doing or talking about. I'd try to get some specific details about what he thinks happened and decipher what really might have been going on. You could be absolutely right in thinking it was just the home drive or something.

I was thinking about this one over the weekend when it occured to me that for that "alias" to work, they must have had two forests, the new one and the old one. They did a forest to forest trust that allowed the old logon setup to work since the request was being passed through from the new forest to the old one.

On its basis alone, of wanting the ability to logon under the old or new naming convention, is a terrible idea. If you want both why change to begin with? You certainly are not addressing the training issue of requiring folks to do it the new way if you still allow them the old way. Seems to me this would be a lot of wasted time and resources.

Can't your CIO put you in contact with someone at the old company that knows how they did it?

How can you have 2 Forests providing a single domain??
Weather its an alias or not it still points back to the same CN.

Thanks for all the input, folks.

The idea of 2 forests is interesting. I'm inclined to go with seack79's idea of some kind of roaming profile, and either username points to the same object. But I find nothing in Google on this topic so far, and Microsoft says it isn't supported (although that doesn't necessarily mean it can't be done with some kind of 3rd party utility or process).

So, the best idea is....get my CIO to hook me up with the techs at his former job.

Yeah, I would agree. I think there was a lot more going on behind the curtains than your CIO realized. Why does he want both if you're changing your naming convention anyways? Oh wait, it's because he's the CIO.

you don't have two forests for a single domain, you basically have two forests providing for mirrored domains and linked profiles. The forests themselves act independently, but the profiles share information.

Honestly, in the end, I'd say stick with changing and make people deal with it. I know you can basicly replace the new profile with the old profile, I just don't know how. I know you can do it because I just had to change profiles here at work myself and they switched everything over from my old account and it was much less painful than doing it the old way. Not to say it was flawless, just less painful.

As I read this thread again. I see that wanderer2 to was not trying to suggest a forest trust would answer your original question. But is the most likely scenario at your CIO's last company.

A forest root domain with a child domain.

Basically your CIO is incorrect and these are not the same situation. The account can only exist on one domain w/ a trust or not it’s one account that’s trusted on the other Domain.

One account one login.

Under a Root forest domain w/ child domain trust the user can be set to login with either domain

user1@rootdoamin
or
user1@child domain.
This would be set by an admin under user profile. It is not a user selectable option.