What Active Directory field do I use to uniquely identify a user?

Jim Mitchener picture Jim Mitchener · Dec 16, 2009 · Viewed 7.7k times · Source

I have an Asp.net MVC project authenticating through AD. I would like to store audit information in tables for the current logged in user. What should I be storing in the database? I am currently using SamAccountName for my membership and role providers. Should I be using this? Should I use the more verbose and modern UserPrincipalName? What if we eventually end up using multiple domains?

What about Guid? Guid would seem like the obvious choice but I know nothing about it. Why is it nullable? Does this value change? What is it used for?

Update

According to SID vs. GUID ...

The reason for using SIDs at all, and not GUIDs, is for backward compatibility. Windows NT uses SIDs to identify users and groups in ACLs on resources.

SIDs will actually change if you move a user to a new domain, the GUID will remain constant. It looks to me like GUID is the way to go unless you intend to authenticate against a NT4 AD server.

I'm not sure what to do here as I cannot accept my own answer for 2 days. Most in-depth explanation wins?

Answer

Jim Mitchener picture Jim Mitchener · Dec 16, 2009

According to SID vs. GUID ...

The reason for using SIDs at all, and not GUIDs, is for backward compatibility. Windows NT uses SIDs to identify users and groups in ACLs on resources.

That being said, I've decided to go with GUID. SIDs will actually change if you move a user to a new domain, the GUID will remain constant. So long as you don't plan on running your application against an NT4 AD server, GUID is the way to go.