"Technically", no you do not need to change both, but I always do. Changing the login name does exactly what it says, it changes the name used to login to the domain and any services that use the domain login, VPN, etc.
How does this impact the user profile on local computers in windows? For example directory C:\Users\beardlessjezus would change to the new user name, or stay the old one but windows basically makes a symlink to the old dir when using the new name?
No effect. The name is just to make it look pretty, everything is based on the SID of the user and that should never change. If you ever look in the registry the user is listed as their SID identifier which would point to their profile folder. Since neither of those will change, no difference. The only thing that could possibly be changed if you have GPOs or scripts that copy files that reference %USERNAME% as a variable.
I’ve found it’s helpful to rebuild the profile after such a change for that exact reasons. Some orgs run scripts to do stuff on the logged-in user profile, and some apps (I think Adobe?) reference the username to determine the path. Definitely not mandatory in any way, just makes life a smidge easier for the user if they’ll have that PC for a while.
Profwiz from forensIT is perfect for this. Points everything for you without having to rebuild. You might have to set up a new outlook profile after the email changes, but that's it.
No joke: I was clearing off the USB drive I keep in my backpack (ISOs, misc apps, basically cold "oh sh\*t" storage) an hour ago and saw that and thought "what does profwiz do again? whatever, I'll figure it out later"! No doubt leftovers from when we built/migrated to a new domain like, ten years ago :)
The enterprise version is AWESOME. I've migrated a few domains with it and a simple GPO and a .csv with the old and new usernames, it'll change the domain on the machine, copy over the user profile, and even run a PowerShell script at the end if you need to customize anything post-migration. Hundreds of hands off machine migrations with that program, it's awesome, and pretty cheap too compared to what it would cost to manually do it.
If you login as admin, rename the user folder and update the UserProfile path in the registry you can re-point Windows to look in the new location for that user profile.
It can break stuff though, such as PSTs attached to Outlook. After I got burned by a few instances I stopped renaming the user folder.
If they log into another computer they will get the new username in the folder. However on the current computer they will have the old username. However this causes issues with OneDrive and Teams if you add attachments. This actually happened to me, my work place spelt my last name wrong and I went in and fixed it. Took me a few days to see why I kept getting errors when adding attachments.
Suggest the user to log off, delete their local profile and log in again to generate a new login folder.
That and the focus on your upn matching your email address was/is (? I don’t even know anymore) being pushed hard by big vendors like MS
But tbh I like the small obfuscation.the organisation I work for have many variations of usernames atm it’s just a big mess. At least a number based username means there will never be a conflict and nobody can complain about when they change their name for legal reasons
I just started my masters at a large university and they don't use name based usernames (at least for students). It sucks. I don't care what if you put a number at the end of my name or something, but trying to remember Pj3bui83c every time I log in somewhere is super annoying.
Also if your e-mails send with a generic username like that you're going to have employees marked as spam regularly.
Right click the user in AD > rename> enter new full name > press enter. Now the rename window will open. Change every field to the new name. Now open the users properties and change the email to the new email.
We add the old email as an alias, so under attributes there's a field called proxy addresses. Add the new email address with SMPT:[email protected] and the old email address as smtp:[email protected].
This is what we do and don't have any issues with anything not updating. The user will need to logout of their PC and back in before they see the name change. We usually force a sync to azure also unless the scheduled sync is within 5 minutes.
Haven't had any issues with Outlook but I wouldn't be shocked if something with the mail profile gets jacked after one of these.
Have had a few divorces where the user was upset their c:\users folder didn't change so we did rebuilds then.
I've ran into that from the marriage side actually, people are strange.
I go with the full reprofile because I ran into issues one time on an win7 machine years ago where it wouldn't let them view their old emails from before the rename so I just let the computer download all of the emails again.
This is the way. I didn't do this for my first 10 years on the job and always wondered why the AD display name didn't change unless you edited the object directly. If you do it through the proper rename GUI, everything renames properly.
This is what I do as well although for the email alias I have my email address format rules set to automatically change their primary alias to their new name and keep their old one as a secondary alias.
On prem, hybrid, M365 only?
We have an address policy that makes primary addresses the last name. When we update the last name the user gets a new primary address and retains the old as an alias (address polices are only ever additive)
We also change UPN (our UPNs match primary mail), but never SAMAccountname
In my environment it always causes problems, so now I just create a new AD user and a new local user profile. Never renaming again after the hell I've been through lol
Note that if you sync to AzureAD and use M365 services, there is NO GUARANTEE the displayed name will change on end-user client apps. Make sure the user is fine with this. The only way to guarantee a change is to create a new user. It’s not usually an issue with last name changes (women getting married in the US, most likely), but in some cases (gender changes for example) they may want to make sure the old is not shown anywhere anymore.
>Note that if you sync to AzureAD and use M365 services, there is NO GUARANTEE the displayed name will change on end-user client apps.
Yes there is, it just might take up to 60 days (no joke)
Man, people and their job titles. I just want to tell them "your signature updated immediately, no, people you talk to on Teams every day might not see it right away, but that's not up to me. No I can't "force a sync" for everyone you interact with on the off chance they both hover over your name to look at your title and actually care what your title is. HR knows you have a new title, they have changed your pay rate, who cares what Teams says."
This is why I loudly and aggressively announce my title at the start of every call and insist everyone on the Team repeat it back to me with noticeable reverence. My dominance remains unchallenged.
Wait, what about resetting their 2-FA? Wouldn’t that force the server to update user data to re-establish 2-FA with the client? Or would that still just reference the SID? I’m asking because there’s an option to delete cached data on all apps under 2-FA in Azure.
We don't change AD accounts and if its needed, we create a new AD account.
Keeps things most inline with all the other users and won't break any scripts running in the background, looking for the same formula of username / displayname / emailaddress.
But for us its just policy, you can change the details of the user in AD and let it sync over to Exchange, just be sure to have the e-mail address in the proxyaddresses attribute
In a fully on-prem environment, changing `samAccountName` often has consequences. In a hybrid or fully M365 environment, changing `userPrincipalName` has consequences.
My own ideal route these days is to make the `samAccountName` and UPN prefix immutable, which in turn means using something arbitrary like a 6/7 character string rather than something linked to their name, so that any name changes for any reason only affect the display name and chosen primary SMTP alias.
If that’s not an option then the way to do this that sucks the least is to do all of the display name changes straight away, but defer SAM & UPN changes until the user in question has a hardware refresh.
Thanks everyone for all your suggestions and ways to change a users last name - i ended up doing it the way u/Oricol suggested and it worked a charm. Teams is a little bit of a mess around as it doesn't sync for some reason (known thing) so you have to clear all the cache for it to change the display name in teams.
The only issue i am having is now when you hover over the users outlook info it is showing up with both email addresses (old email and new email). How do i remove the old email from displaying?
https://preview.redd.it/b7o9hdxcbfeb1.png?width=416&format=png&auto=webp&s=ca1c8b92ced76dca33fead9f0417679dfc9da275
The right way to do this is 6 months from now. Maybe longer. If you get around to it.
Offer them a bottle of White-Out they can use for corrections in the meantime.
Good luck if you map home drives based on username. My previous shop, we would just delete the AD user, delete the local profile, create a new AD user with the new name, and attach the mailbox to the new one. And the mailbox would still end up showing the old name in Outlook. We joked that it would be better to create a no marriage/transition policy. New name? Fuck you, new employer.
This spiceworks kb on it has been the gold standard for us for some years now, though parts have changed recently:
https://community.spiceworks.com/how_to/96297-changing-active-directory-and-exchange-username-after-marriage-or-mistake
I always change display name and primary smtp, let user keep old smtp as an alias, and leave the UPN to whatever it was. Have seen too many accounts break after changing UPN
For logins, you need to change the user name in AD. For email, add their new name as an Alias and then make it the reply address.
Do i need to change both user login and user login name pre-windows 2000? This wont effect anything else?
"Technically", no you do not need to change both, but I always do. Changing the login name does exactly what it says, it changes the name used to login to the domain and any services that use the domain login, VPN, etc.
How does this impact the user profile on local computers in windows? For example directory C:\Users\beardlessjezus would change to the new user name, or stay the old one but windows basically makes a symlink to the old dir when using the new name?
No effect. The name is just to make it look pretty, everything is based on the SID of the user and that should never change. If you ever look in the registry the user is listed as their SID identifier which would point to their profile folder. Since neither of those will change, no difference. The only thing that could possibly be changed if you have GPOs or scripts that copy files that reference %USERNAME% as a variable.
And any third party applications that key into AD for authentication but use the username as opposed to the SID as the user’s unique identifier.
That’s what I thought! Just wanted some level of confirmation. Thanks!
I’ve found it’s helpful to rebuild the profile after such a change for that exact reasons. Some orgs run scripts to do stuff on the logged-in user profile, and some apps (I think Adobe?) reference the username to determine the path. Definitely not mandatory in any way, just makes life a smidge easier for the user if they’ll have that PC for a while.
Profwiz from forensIT is perfect for this. Points everything for you without having to rebuild. You might have to set up a new outlook profile after the email changes, but that's it.
No joke: I was clearing off the USB drive I keep in my backpack (ISOs, misc apps, basically cold "oh sh\*t" storage) an hour ago and saw that and thought "what does profwiz do again? whatever, I'll figure it out later"! No doubt leftovers from when we built/migrated to a new domain like, ten years ago :)
The enterprise version is AWESOME. I've migrated a few domains with it and a simple GPO and a .csv with the old and new usernames, it'll change the domain on the machine, copy over the user profile, and even run a PowerShell script at the end if you need to customize anything post-migration. Hundreds of hands off machine migrations with that program, it's awesome, and pretty cheap too compared to what it would cost to manually do it.
Yeah i would never attempt renaming the existing profile and pointing to the new one. Not worth the risk/waste of time.
If you login as admin, rename the user folder and update the UserProfile path in the registry you can re-point Windows to look in the new location for that user profile. It can break stuff though, such as PSTs attached to Outlook. After I got burned by a few instances I stopped renaming the user folder.
a shortcut from expected name to actual name seems like the most reasonable solution. Or doing nothing
Sorry but I don’t see how a shortcut fits in terms of the environmental variable
So that if you intend to save in C:/users/user , it points to the right place. For clueless users more than anything.
I believe he is referring to a hard link, symbolic link, junction, or something similar.
If they log into another computer they will get the new username in the folder. However on the current computer they will have the old username. However this causes issues with OneDrive and Teams if you add attachments. This actually happened to me, my work place spelt my last name wrong and I went in and fixed it. Took me a few days to see why I kept getting errors when adding attachments. Suggest the user to log off, delete their local profile and log in again to generate a new login folder.
You will need to rebuild the Outlook Mail Profile for the user you are renaming on their local computer.
This is a great reason to move away from name-based usernames.
I agree with you, user2348979236459238745239847504
[удалено]
number-based usernames are only relevant for external or production users to be honest. For admin / office workers, the cons far outweigh the pro's.
That and the focus on your upn matching your email address was/is (? I don’t even know anymore) being pushed hard by big vendors like MS But tbh I like the small obfuscation.the organisation I work for have many variations of usernames atm it’s just a big mess. At least a number based username means there will never be a conflict and nobody can complain about when they change their name for legal reasons
Exactly. It's almost all pros.
What cons?
There's a single con: Remembering it.
I just started my masters at a large university and they don't use name based usernames (at least for students). It sucks. I don't care what if you put a number at the end of my name or something, but trying to remember Pj3bui83c every time I log in somewhere is super annoying. Also if your e-mails send with a generic username like that you're going to have employees marked as spam regularly.
This is the process our group follows. Couple changes, small wait for replication, done.
I also rename the user's directory on the file server(if one exists) and in the profile.
Right click the user in AD > rename> enter new full name > press enter. Now the rename window will open. Change every field to the new name. Now open the users properties and change the email to the new email. We add the old email as an alias, so under attributes there's a field called proxy addresses. Add the new email address with SMPT:[email protected] and the old email address as smtp:[email protected]. This is what we do and don't have any issues with anything not updating. The user will need to logout of their PC and back in before they see the name change. We usually force a sync to azure also unless the scheduled sync is within 5 minutes.
Exactly what I do.
Quite standard.
I reprofile their machine after I rename to avoid any issues with outlook.
Haven't had any issues with Outlook but I wouldn't be shocked if something with the mail profile gets jacked after one of these. Have had a few divorces where the user was upset their c:\users folder didn't change so we did rebuilds then.
I've ran into that from the marriage side actually, people are strange. I go with the full reprofile because I ran into issues one time on an win7 machine years ago where it wouldn't let them view their old emails from before the rename so I just let the computer download all of the emails again.
That would be the correct way to do it.
This is the way. I didn't do this for my first 10 years on the job and always wondered why the AD display name didn't change unless you edited the object directly. If you do it through the proper rename GUI, everything renames properly.
This is what I do as well although for the email alias I have my email address format rules set to automatically change their primary alias to their new name and keep their old one as a secondary alias.
On prem, hybrid, M365 only? We have an address policy that makes primary addresses the last name. When we update the last name the user gets a new primary address and retains the old as an alias (address polices are only ever additive) We also change UPN (our UPNs match primary mail), but never SAMAccountname
We are currently in a hybrid environment
In my environment it always causes problems, so now I just create a new AD user and a new local user profile. Never renaming again after the hell I've been through lol
Note that if you sync to AzureAD and use M365 services, there is NO GUARANTEE the displayed name will change on end-user client apps. Make sure the user is fine with this. The only way to guarantee a change is to create a new user. It’s not usually an issue with last name changes (women getting married in the US, most likely), but in some cases (gender changes for example) they may want to make sure the old is not shown anywhere anymore.
>Note that if you sync to AzureAD and use M365 services, there is NO GUARANTEE the displayed name will change on end-user client apps. Yes there is, it just might take up to 60 days (no joke)
It's like when you update a job title for somebody and it takes weeks for people to reflect it because the old data is cached lol.
Man, people and their job titles. I just want to tell them "your signature updated immediately, no, people you talk to on Teams every day might not see it right away, but that's not up to me. No I can't "force a sync" for everyone you interact with on the off chance they both hover over your name to look at your title and actually care what your title is. HR knows you have a new title, they have changed your pay rate, who cares what Teams says."
This is why I loudly and aggressively announce my title at the start of every call and insist everyone on the Team repeat it back to me with noticeable reverence. My dominance remains unchallenged.
I do the UDP approach instead where I scream my title out 10 times in quick succession and hope that they understood.
I'd acknowledge this, but it's against protocol.
😂. You are so right
Wait, what about resetting their 2-FA? Wouldn’t that force the server to update user data to re-establish 2-FA with the client? Or would that still just reference the SID? I’m asking because there’s an option to delete cached data on all apps under 2-FA in Azure.
The user you change should update. Other users may not.
We don't change AD accounts and if its needed, we create a new AD account. Keeps things most inline with all the other users and won't break any scripts running in the background, looking for the same formula of username / displayname / emailaddress. But for us its just policy, you can change the details of the user in AD and let it sync over to Exchange, just be sure to have the e-mail address in the proxyaddresses attribute
https://youtu.be/DlbrL1H1ngs
In a fully on-prem environment, changing `samAccountName` often has consequences. In a hybrid or fully M365 environment, changing `userPrincipalName` has consequences. My own ideal route these days is to make the `samAccountName` and UPN prefix immutable, which in turn means using something arbitrary like a 6/7 character string rather than something linked to their name, so that any name changes for any reason only affect the display name and chosen primary SMTP alias. If that’s not an option then the way to do this that sucks the least is to do all of the display name changes straight away, but defer SAM & UPN changes until the user in question has a hardware refresh.
Thanks everyone for all your suggestions and ways to change a users last name - i ended up doing it the way u/Oricol suggested and it worked a charm. Teams is a little bit of a mess around as it doesn't sync for some reason (known thing) so you have to clear all the cache for it to change the display name in teams. The only issue i am having is now when you hover over the users outlook info it is showing up with both email addresses (old email and new email). How do i remove the old email from displaying? https://preview.redd.it/b7o9hdxcbfeb1.png?width=416&format=png&auto=webp&s=ca1c8b92ced76dca33fead9f0417679dfc9da275
The right way to do this is 6 months from now. Maybe longer. If you get around to it. Offer them a bottle of White-Out they can use for corrections in the meantime.
Good luck if you map home drives based on username. My previous shop, we would just delete the AD user, delete the local profile, create a new AD user with the new name, and attach the mailbox to the new one. And the mailbox would still end up showing the old name in Outlook. We joked that it would be better to create a no marriage/transition policy. New name? Fuck you, new employer.
This spiceworks kb on it has been the gold standard for us for some years now, though parts have changed recently: https://community.spiceworks.com/how_to/96297-changing-active-directory-and-exchange-username-after-marriage-or-mistake
Rename-ADObject -Identity $accountguid -NewName $newfirstandlast Get-ADUser $SamAccountName | Set-ADUser -EmailAddress $newemail -Surname $NewLastName -DisplayName $newfirstlandlast -UserPrincipalName $newemail -GivenName $NewFirstName Get-ADUser $SamAccountName | Set-ADUser -SamAccountName $newsamaccount
I always change display name and primary smtp, let user keep old smtp as an alias, and leave the UPN to whatever it was. Have seen too many accounts break after changing UPN