Change User Logon Name in Active Directory Using PowerShell
IT administrators may need to change the user logon name in Active Directory with PowerShell or other means.
This is especially true if a user got married or has a misspelled name. Regardless of the situation, the administrator should not delay this relatively minor task anymore.
Table of Contents
Such small mistakes can add up over time and thus lead to the AD being less efficient for inter-user communication. However, with so many different attributes with the word “name” plus some hidden parameters like sn, CN, etc.
Even veteran administrators can get confused about what to change.
Moreover, many may not know the exact effects of changing AD usernames on their environment. Not to worry, as this write-up contains multiple methods. To start off, let’s see how the ADUC portal assists in renaming.
How to Rename User Account in Active Directory Users and Computers Snap-In
First, ensure that you have ADUC on your Active Directory like we did to export user group membership from AD previously. If not, install it via the Server Manager and then continue with the following steps:
- Open ADUC.
- Navigate to the Users container.
- Select the user account that needs to be renamed.
- Wait for a second and click on its present name while it is selected. Alternatively, you can right-click on User > Select Rename.
- Once the name becomes editable, start typing the new full name and press Enter.
- The basic name change completes and the Rename User popup appears.
- In this window, you get access to some extra attributes to update. These include the first and last name, display name, and user logon name. Every single one of these can be different. However, note the following when you attempt the renaming:
- The default character limit is 64 so don’t exceed that. Although you can use all the Unicode characters, keep the new name as per your organization’s naming scheme.
- Don’t change the first name / last name after renaming the display name. It would automatically overwrite any changes made to the display name.
- Likewise, User Logon Name and User Logon Name Pre Windows 2000 have the same restriction where the pre name gets changed if you update the regular user logon name.
- The default character limit is 64 so don’t exceed that. Although you can use all the Unicode characters, keep the new name as per your organization’s naming scheme.
- After the changes, click on OK. You won’t be able to perform any other task until the Rename User window closes. If you hit the Cross or Cancel button, all the changes revert back to their original state.
Rename Additional Username Parameters via the Attribute Editor
- To change the various attributes associated with attribute level, first click on View and ensure that the Advanced Features option is enabled.
- Then right-click on the user and select properties.
- In the Properties box, select the Attribute Editor tab.
Here you can edit all the regular renaming parameters as well as get some extra options not available in the default box. The options include:
Attribute | Modified By | Description | Notes |
adminDisplayName | Domain Administrator | Security principal display name used for administrative tools. | Not typically used for user display names. |
canonicalName | N/A | Self-constructed default name that include the path | Cannot be changed manually |
cn (Common Name) | Domain Administrator (Creation) | Unique identifier within a domain or forest. | Only modifiable during creation. |
displayName | Domain Administrator (Creation) | User-friendly display name. | Can be updated by account owner or administrator. |
givenName (First Name) | Domain Administrator / Account Owner | User’s first name. | Either the account owner or administrator can update it. |
initials | Domain Administrator / Account Owner | User’s initials. | Can be updated by the account owner or administrator. |
middleName | N/A | Not a standard user account attribute in Active Directory. | May exist in custom configurations. |
sAMAccountName | Domain Administrator (Creation) | Login name used for authentication. | Should not be changed after creation. |
sn (Surname/Last Name) | Account Owner / Anyone with Write Permission | User’s last name. | Either the account owner or administrator can update it. |
userPrincipalName (UPN) | Domain Administrator (Creation) | Unique user identifier for login (may include email address format). | Ideally, shouldn’t be changed after creation. |
Before moving to the command-line variations, we recommend that you check the another GUI-based option on your Active Directory.
Use Active Directory Admin Center for Changing User Name in AD
- Type Admin Center in the Windows search bar and click on the first result.
- Click on the Users option below the domain controller.
- Select a user and click on Properties from the right-hand pane.
- Put in the New name values and click OK.
- Note that the OK button stays disabled until you make changes.
Next, we will provide you with the ability to perform individual user name updates via the command line.
How to Rename User Account in Active Directory Command Line
For single-user name changes, use:
dsmove "<value>" -newname "<value>"
Multi-user renaming can be done via:
dsquery user | dsmod user "<value>" -upn "<value>" -fn"<value>" -display -ln "<value>"
A better way for multi-user renaming would be PowerShell. Let’s see why
Change User Logon Name in Active Directory With PowerShell
For a single user, renaming the PowerShell method is quite complicated. Its real use shines in specific scenarios like AD cross forest migration, where the admin usually needs a bulk renaming.
For that, prepare a CSV user list by running the professional AD reporting solution. And use the CSV output alongside the following script in the target domain.
Here is an example script that updates all user display names.
Get-ADUser -Filter 'Name -like "*"' -SearchBase '<container>' -Properties DisplayName | % {Set-ADUser $_ -DisplayName ($_.Surname + ' ' + $_.GivenName)}
Note that the Set-ADUser command is quite powerful as it includes the parameter to rename basically anything in a user account. The following name category parameters are available for updation with this cmdlet.
- [-DisplayName] (describes how the user account is visable)
- [-GivenName] (specifies the user’s first name)
- [-Initials] (user’s initials)
- [-OtherName] (alternative name for the user)
- [-SamAccountName] (defines the login username)
- [-Surname] (specifies the user’s last name)
- [-UserPrincipalName] (defines the user’s login name, often including email format)
So make sure that you only use PowerShell if you have prior experience.
Best Practices While Changing a User’s Name in Active Directory
User renaming options depend on the status a lot. However, active users need not worry; these accounts face no problem with any name change procedure. Same for inactive accounts: either admins or the users themselves can log in and rename the account. Although expired or deleted accounts present with AD Tombstone may be subject to renaming restrictions.
To make sure that this does not happen when you try to bulk rename user accounts with PowerShell, check the account status before renaming. For that, the SysTools Active Directory Reporting Software is there to help you out. Use it to construct the CSV list of all user accounts that are under consideration.
Moreover, as the tool uses the SID, it is able to detect all user-level changes, including this one. It presents the operation output in an easy-to-share CSV format. Admins get a simple boolean answer in front of those accounts that underwent a renaming procedure.
Other than using a detection tool, you can set up a custom renaming admin role for your AD. It is nothing but a user account with delegated privileges. It’s just that its scope is to rename other users.
You can’t update self-constructed parameters like the common name. Attempting so will trigger the following error.
The biggest concern about renaming an account comes from the external apps that use the account name as an identifying criterion.
If they don’t update alongside them, then you might witness a loss in functionality. Therefore, administrators must ensure that this does not happen.
Moreover, as the internal AD processes sync in real time, there is no change in user behavior inside the AD. Unless the UPN / Logon name changes, users will need to use the new one to access their account.
Conclusion
So now admins have all the techniques at their disposal to not only change user logon name in Active Directory but check the changes as well. No matter which method you opt for, to verify this user modification, use the tool described earlier. It gives you an external confirmation whenever you update the way a user is displayed inside an AD.
Frequently Asked Questions on How to Change Username in AD
Q. Is it possible to change the UPN of a user without affecting their email address?
Yes, the UPN and email address are distinct parameters and can have independent values. At the time of user creation, the email address automatically borrows the UPN. Moreover, as per the best practices, keep both the parameters same to maintain consistency.
Q. Are there any additional steps to handle name changes for users with admin privileges?
While changing names for admin accounts:
- Schedule the change during a maintenance window.
- Have a backup admin account ready.
- Immediately test access to critical systems after the change.
- Update any scripts or scheduled tasks that reference the admin account.
- Inform other IT staff about the change.
Q. How to perform name changes that arise due to live events like marriage or divorce?
For most intends and purposes there is no major change in the approach. However, admins must work alongside HR to ensure the following:
- Keep a dedicated portal so any user can initiate a new request.
- Collect all necessary information (new legal name, preferred display name, etc.) beforehand.
- Schedule the change at a convenient time for the user.
- Update all relevant attributes (displayName, givenName, sn, mail, etc.)
- Provide the user with a checklist of systems they may need to update themselves (e.g., email signature)