Change User Logon Name in Active Directory Using PowerShell
IT administrators may need to change the user logon name in Active Directory with PowerShell or other means.
This is especially true if a user got married or has a misspelled name. Regardless of the situation, the administrator should not delay this relatively minor task anymore.
These small mistakes add up over time and can lead to the AD being less efficient for inter-user communication. However, with so many different attributes with the word “name” plus some hidden parameters like sn, CN, etc
Even veteran administrators can get confused about what to change.
Moreover, many may not know the exact effects of changing AD usernames on their environment. Not to worry, as this write-up contains multiple methods. To start off, let’s see how the ADUC portal assists in renaming.
How to Rename User Account in Active Directory Users and Computers Snap-In
First, ensure that you have ADUC on your Active Directory like we did to export user group membership from AD previously. If not, install it via the Server Manager and then continue with the following steps:
- Open ADUC.
- Navigate to the Users container.
- Select the user account that needs to be renamed.
- Wait for a second and click on its present name while it is selected. Alternatively, you can right-click on User > Select Rename.
- Once the name becomes editable, start typing the new full name and press Enter.
- The basic name change completes and the Rename User popup appears.
- In this window, you get access to some extra attributes to update. These include the first and last name, display name, and user logon name. Every single one of these can be different. However, note the following when you attempt the renaming:
- The default character limit is 64 so don’t exceed that. Although you can use all the Unicode characters, keep the new name as per your organization’s naming scheme.
- Don’t change the first name / last name after renaming the display name. It would automatically overwrite any changes made to the display name.
- Likewise, User Logon Name and User Logon Name Pre Windows 2000 have the same restriction where the pre name gets changed if you update the regular user logon name.
- The default character limit is 64 so don’t exceed that. Although you can use all the Unicode characters, keep the new name as per your organization’s naming scheme.
- After the changes, click on OK. You won’t be able to perform any other task until the Rename User window closes. If you hit the Cross or Cancel button, all the changes revert back to their original state.
Rename Additional Username Parameters via the Attribute Editor
- To change the various attributes associated with attribute level, first click on View and ensure that the Advanced Features option is enabled.
- Then right-click on the user and select properties.
- In the Properties box, select the Attribute Editor tab.
Here you can edit all the regular renaming parameters as well as get some extra options not available in the default box. The options include:
Attribute | Modified By | Description | Notes |
adminDisplayName | Domain Administrator | Security principal display name used for administrative tools. | Not typically used for user display names. |
canonicalName | N/A | Self-constructed default name that include the path | Cannot be changed manually |
cn (Common Name) | Domain Administrator (Creation) | Unique identifier within a domain or forest. | Only modifiable during creation. |
displayName | Domain Administrator (Creation) | User-friendly display name. | Can be updated by account owner or administrator. |
givenName (First Name) | Domain Administrator / Account Owner | User’s first name. | Either the account owner or administrator can update it. |
initials | Domain Administrator / Account Owner | User’s initials. | Can be updated by the account owner or administrator. |
middleName | N/A | Not a standard user account attribute in Active Directory. | May exist in custom configurations. |
sAMAccountName | Domain Administrator (Creation) | Login name used for authentication. | Should not be changed after creation. |
sn (Surname/Last Name) | Account Owner / Anyone with Write Permission | User’s last name. | Either the account owner or administrator can update it. |
userPrincipalName (UPN) | Domain Administrator (Creation) | Unique user identifier for login (may include email address format). | Ideally, shouldn’t be changed after creation. |
Before moving to the command-line variations, we recommend that you check the another GUI-based option on your Active Directory.
Use Active Directory Admin Center for Changing User Name in AD
- Type Admin Center in the Windows search bar and click on the first result.
- Click on the Users option below the domain controller.
- Select a user and click on Properties from the right-hand pane.
- Put in the New name values and click OK.
- Note that the OK button stays disabled until you make changes.
Next, we will provide you with the ability to perform individual user name updates via the command line.
How to Rename User Account in Active Directory Command Line
For single-user name changes, use:
dsmove "<value>" -newname "<value>"
Multi-user renaming can be done via:
dsquery user | dsmod user "<value>" -upn "<value>" -fn"<value>" -display -ln "<value>"
A better way for multi-user renaming would be PowerShell. Let’s see why
Change User Logon Name in Active Directory With PowerShell
For a single user, renaming the PowerShell method is quite complicated. Its real use shines in specific scenarios like AD cross forest migration, where the admin usually needs a bulk renaming.
For that, prepare a CSV user list by running the professional AD reporting solution. And use the CSV output alongside the following script in the target domain.
Here is an example script that updates all user display names.
Get-ADUser -Filter 'Name -like "*"' -SearchBase '<container>' -Properties DisplayName | % {Set-ADUser $_ -DisplayName ($_.Surname + ' ' + $_.GivenName)}
Note that the Set-ADUser command is quite powerful as it includes the parameter to rename basically anything in a user account. The following name category parameters can be changed with this cmdlet.
- [-DisplayName] (describes how the user account is visable)
- [-GivenName] (specifies the user’s first name)
- [-Initials] (user’s initials)
- [-OtherName] (alternative name for the user)
- [-SamAccountName] (defines the login username)
- [-Surname] (specifies the user’s last name)
- [-UserPrincipalName] (defines the user’s login name, often including email format)
So make sure that you only use PowerShell if you have prior experience.
Best Practices While Changing a User’s Name in Active Directory
User renaming options depend on the status a lot. However, active users need not worry; these accounts face no problem with any name change procedure. Same for inactive accounts: either admins or the users themselves can log in and rename the account. Although expired or deleted accounts present with AD Tombstone may be subject to renaming restrictions.
To make sure that this does not happen when you try to bulk rename user accounts with PowerShell, check the account status before renaming. For that, the SysTools Active Directory Reporting Software is there to help you out. Use it to construct the CSV list of all user accounts that are under consideration.
Moreover, as the tool uses the SID, it is able to detect all user-level changes, including this one. It presents the operation output in an easy-to-share CSV format. Admins get a simple boolean answer in front of those accounts that underwent a renaming procedure.
Other than using a detection tool, you can set up a custom renaming admin role for your AD. It is nothing but a user account with delegated privileges. It’s just that its scope is to rename other users.
You can’t update self-constructed parameters like the common name. Attempting so will trigger the following error.
The biggest concern about renaming an account comes from the external apps that use the account name as an identifying criterion.
If they don’t update alongside them, then you might witness a loss in functionality. Therefore, administrators must ensure that this does not happen.
Moreover, as the internal AD processes sync in real-time, there is no change in user behavior inside the AD. Unless the UPN / Logon name changes, users will need to use the new one to access their account.
Conclusion
So now admins have all the techniques at their disposal to not only change user logon name in Active Directory but check the changes as well. No matter which method you opt for, to verify this user modification, use the tool described earlier. It gives you an external confirmation whenever you update the way a user is displayed inside an AD.