Is there such a thing as a "fully qualified" username within the context of Windows Authentication?

  • ben (in mydomain\ben) is the SAM account name. ("SAM" is short for Security Account Manager, the old Windows NT account system.) I don't know if there is a name for the entire "mydomain\ben" construct.

  • [email protected] is called UPN or User Principal Name, where "blah.net" is the UPN suffix.

  • In Active directory there is also something called DN or Distinguished Name or DN which for ben would probably be CN=ben,OU=Users,DC=blah,DC=net. This is the closest to "fully qualified" name I think you get. It describes both the name of the object (the CN part) and the container (OU part) where it resides within the active directory as well as the DNS domain name (DC part) of the Active Directory.

Of those three, the DN is the ONLY one that can be used to bind directly to the LDAP user object without having any other information. Using the UPN you have to know a domain controller to query. (It is possible to get to the object from the Domain\SamAccountName as well, but it requires first finding the domain controller for Domain and then doing a search for the object with the given SamAccountName).


The formats known to GetUserNameEx are listed in the EXTENDED_NAME_FORMAT enumeration.

I think there is a length restriction on SAM compatible names that can sometimes be overcome with UPN format.


According to Microsoft's User Name Formats documentation:

  • mydomain\ben is called the Down-Level Logon Name
  • [email protected] is called the User Principal Name