Most people would think that usernames are minor problems. But for the end user who has been working at a company for a long time and then suddenly they find their login does not work it can be a source of frustration that, if not fixed soon, can disrupt their workflow and diminish their productivity.

So administrators should treat and end users login problems due to unrecognized usernames with degrees of priority that escalate upwards at an increasing rate the longer a user is unable to login to their email accounts.

There are more than a couple scenarios that users can unknowingly lose their login privileges.

If an end user has recently left the company for whatever reason then an administrator will need to follow a (hopefully) predefined procedure which will allow for the removal of a now inactive account from the system.

One method that inexperienced administrators will use is to try to reuse the existing account of the newly changed employee. This means that rather than creating a new account and removing the old account an administrator will simply rename the existing account within Active Directory using a new employee’s information. Unfortunately this method does not guarantee that the old user’s accounts – and username – are not entirely removed from the system. Somewhere in the internals of the system, the directories and any databases – in this case Active Directory – there are remnants of the previous user’s information. A likely repository of information is the Exchange server that can contain the old user’s information such as their username.

As a result of a username not being completely removed from the system whenever an email is sent with the rename user’s account the mail header fields can be populated with username’s that were previously associated with the old account. The “To” and “Cc” fields might automatically be completed with a username as soon as the new user begins to type in an email address. For instance an auto complete might complete the email address in a “To” field with something like “John Doe <john.doe@somedomain.com>”. But if the new user’s name is typed into one of the fields then auto complete will incorrectly complete the email address to look something like “Jake Newuser <Jim>”. 

So renaming an old account is not the best email management practice. This method just results in the attributes of the account being modified but not the Security Identifier (SID) of the original account. Each user’s SID is a unique ID number that is used by the system or domain controller to identify the user to the system. The SID’s are composed of a string of alphanumeric characters and assigned to a specific user or group on a domain controlled network. Underneath the readable usernames is the SIDs associated with the individual logins. Active Directory or Kerberos domain authentication are used to store the passwords for the accounts. Based on the username and password the SID can be verified whether or not it is associated with the user account information.

So although the username may have been changed the underlying SID remains the same. Modifying a username associated with an email account using the rename function will modify all the properties associated with the user account but not the SID. After “renaming” an account it will then be possible for the new user to log into the mailbox and see all the old email contained in the previous mailbox but now under a new username.

The display name, account name, user principal name, first name, last name, e-mail address, and so on are all separate attributes and are modified in other places, generally properties fields. Renaming an account doesn’t change anything about an associated mailbox. It is not an all in one operation for deleting the old account and creating a new account. Only the common name (cn) attribute is changed.

Another scenario which may occur is if an employee has had a recent change to their marital status and their name has changed. They might submit a request that their current username – and all corresponding email properties – be changed to reflect their new name. It also may be the case that someone new has replaced another employee within a department.

We’ve already seen what problems can occur when simply renaming an old account is performed. One solution is to use email aliases. This can easily be done by changing the settings in Exchange. The alias can be seen as the part contained within the brackets of an email address field and looks like < > as in “John Doe <JDoe>”. New and external emails both inbound and outbound are not affected.