Corporate User Name Standards

[reactionary007]

I would appreciate your thoughts on using an employee number as the user name standard.  We are likely going to implement this soon and there has been a lot of push back.  We have between 8 and 10 thousand users across several different divisions.  Recently consolidated all of our disparate Active Directories, but have several standards in the directory.  Once you go out across other systems, it is a real jumbled mess.

 

Using employee number as a user name will resolve a lot of issues.  However, it raises some.  It would be great to hear from those who work in an environment like this or have been through a conversion to a similar standard.  All input is welcome.  Thanks!

 

Some thoughts...

 

Benefits:

Cleaner and easier rules and workflow in Identity Management system

Never have to change user name for nicknames, marriage and divorce, or any other name changes

Guaranteed unique - no duplicates - like having 10 Anne Smiths, etc.

You always know you have the right account when performing administrative tasks

 

Downfalls:

In systems that do not show a display name (Unix, etc.) admins always have to correlate back to a name in a separate system

Less personalized to the user

Might make manual human processes a bit more prone to error as it would be easier to mistake one account for another on sight, transpose numbers and still get a valid account, etc.

[reactionary007]

Also - when I say pushback - it is from others in I.T. - not so much the business

[sc302 Veteran]

user defaults are either firstinitiallastname or firstname.lastname.  You could even do something like firstname.middleinitial.lastname

 

This usually falls in line with their email addess as it is usually easier for users to remember.  This isn't about you or your thoughts it is about users and their ability to cope/understand/use the systems.  Employee number is not something that should ever be used, imo.  If you ask me it is an administrative headache especially when trying to get to user profiles on the system.  You can easily tell what user profile is what by looking at it without going to a database and figuring it out.  Keep administration simple, don't over complicate it (using a numerical id will over complicate things tremendously.)

[BajiRav]

user defaults are either firstinitiallastname or firstname.lastname.  You could even do something like firstname.middleinitial.lastname

 

This usually falls in line with their email addess as it is usually easier for users to remember.  This isn't about you or your thoughts it is about users and their ability to cope/understand/use the systems.  Employee number is not something that should ever be used, imo.  If you ask me it is an administrative headache especially when trying to get to user profiles on the system.  You can easily tell what user profile is what by looking at it without going to a database and figuring it out.  Keep administration simple, don't over complicate it (using a numerical id will over complicate things tremendously.)

ditto.

[astropheed Veteran]

user defaults are either firstinitiallastname or firstname.lastname.  You could even do something like firstname.middleinitial.lastname

 

This usually falls in line with their email addess as it is usually easier for users to remember.  This isn't about you or your thoughts it is about users and their ability to cope/understand/use the systems.  Employee number is not something that should ever be used, imo.  If you ask me it is an administrative headache especially when trying to get to user profiles on the system.  You can easily tell what user profile is what by looking at it without going to a database and figuring it out.  Keep administration simple, don't over complicate it (using a numerical id will over complicate things tremendously.)

 

[goretsky Supervisor]

Hello,

 

I think you should go ahead with it, as long as (1) it's not a problem that employee's accidentally receive email not intended for them (HR, accounting, sales, executives, etc.); and (2) it's okay if lower-privileged users occasionally get added as a domain admin, superuser or whatever higher-privileged accounts are used.  After all, what's possibly the worst that could happen?

 

Actually, I'm just being sarcastic.  You're not only likely increasing the chance of data exfiltration, but malware infiltration as well.  Not to mention the fact that if this company is in a regulated industry, it is likely going to get into some trouble during the next security audit.  I am not a lawyer, of course, but it seems to me this roll-out could be useful in a shareholder lawsuit against the company as evidence of incompetence on the part of the executives or the board, gross neglect, malfeasance, etc.. 

 

Regards,

 

Aryeh Goretsky

[reactionary007]

Thanks everyone. We took your thoughts to heart along with all of the other feedback received and went with something more traditional and personal. No employee #.

[Dot Matrix]

Where I work, employee IDs are a unique letter/number combo. AD is setup to associate this with a FirstName.LastName@company.com Exchange identity. User's use their unique letter/number combo for system sign-ons.

 

It may not be "personalized" much, but it gets the job done.

[reactionary007]

We will be populating the employeeID attribute and the employeeType attribute on all accounts with this new standard - we don't use Exchange.

[Adam1V]

Surely having an ID or number will make manage exchange delivery difficult since you'll be mapping numbers to email addresses?

[sc302 Veteran]

irrelevant with exchange delivery. 

 

Exchange works via user account, not by logon.  You assign bob smith an exchange mail box, the email will be bob.smith@company.com.  The user id for bob smith is 12345678, bob uses 12345678@company.local to logon.  As an admin, we do not see bob smith logging on, we see 12345678.  It is very hard to determine by looking at it who is 12345678 when looking at login logs, access logs, or any other logs that pertain to user authentication/access. 

[Gareth Chamberlain]

If you are a large organization with a rather large OU then i think managing users in this manner will get messy quickly. If you are a small outfit with a small medium OU then i cant see a problem.

 

Administering a large OU with a high staff turnover will get messy this way with making sure you have the correct number and disabling the account when starting. Also you are relying on Human Resources to be correct in the employee number. Yes you can add comments in to the AD field but when users are joining and leaving the outfit then it could get messy 

 

We use the following standard over a 5,000 userbase AD Country, Last name, First name, and if they are the first with that name and country 01 and duplicate 02 so on so forth so it looks like this "GBCG01"

[binaryzero]

<First letter of name><surname to 8 characters> is ours - jsmith. E-Mail is first.lastname@domain.

[c.grz]

For us John Smith's ID would be johsmi0601@company.com and email would be both john.smith@company.com and jsmith@company.com with john.smith@company.com being his default smtp address.

[Haggis Veteran]

our is 6 of surname plug first initial an a number if duplicate names

Work well

Emails are firstname.surname@domain.com