Active Directory Username Restrictions: Valid Characters and Special Character Handling in User Naming


3 views

Active Directory imposes specific restrictions on username strings that differ from general password policies. The complete set of rules isn't always clearly documented in Microsoft's official documentation, leading to confusion among developers working with AD integration.

The following characters are explicitly prohibited in Active Directory usernames:

" / \ [ ] : ; | = , + * ? < >

Additionally, leading periods (.) or spaces are not permitted. The single quote (') character is allowed in usernames, contrary to some misconceptions.

When programmatically validating usernames in your application, consider this PowerShell validation function:

function Test-ValidADUsername {
    param([string]$Username)
    $invalidChars = [Regex]::Escape('"/\[]:;|=,+*?<>')
    if ($Username -match "[$invalidChars]") {
        return $false
    }
    return $Username -notmatch "^\s|\.|\.$"
}

Be aware that while the core AD service allows certain characters, some applications or protocols (like LDAP) may require additional escaping:

# LDAP filter escaping example
function Escape-LdapFilter {
    param([string]$Filter)
    $Filter.Replace('\', '\5c')
          .Replace('*', '\2a')
          .Replace('(', '\28')
          .Replace(')', '\29')
          .Replace('/', '\2f')
}
  • Always normalize usernames before comparison (case-insensitive)
  • Implement client-side validation using regex: ^[^"/\\$$$$:;|=,+*?<>\s][^"/\\\[\]:;|=,+*?<>]*$
  • Consider UPN (user@domain) format for maximum compatibility

Watch for these specific scenarios that often cause issues:

# Problematic username patterns
Bad: "admin@domain" (contains @)
Bad: ".hiddenuser" (leading dot)
Bad: "user name" (contains space)

# Valid but problematic
Valid but tricky: "O'Reilly" (contains apostrophe)
Valid but tricky: "user_name" (underscore is allowed)

When configuring Active Directory usernames (samAccountName attribute), Microsoft enforces specific character restrictions that differ from regular display names. The complete technical specifications aren't well-documented in official sources, but through extensive testing and community knowledge, we've compiled the definitive rules.

The following characters are never allowed in AD usernames:

" / \ [ ] : ; | = , + * ? < > @

The single quote (') is actually permitted, but requires special handling in scripts:

These characters are technically allowed but can cause issues:

'  ~ ! # $ % ^ & ( ) _ - { } .

Example of problematic but valid username:

J.O'Brian_IT-Admin

Here's a PowerShell validation function:


function Test-ADUsername {
    param([string]$Username)
    $invalidChars = [System.IO.Path]::GetInvalidFileNameChars() + 
                   [char[]]@(' ', '"', '/', '\', '[', ']', ':', ';', '|', '=', ',', '+', '*', '?', '<', '>', '@')
    return $Username.IndexOfAny($invalidChars) -eq -1
}

1. Always trim whitespace from both ends
2. Convert to lowercase for consistency
3. Replace spaces with underscores or remove them
4. Limit length to 20 characters for compatibility

Example of safe username generation:


$cleanName = ($rawName.Trim() -replace '[^\w\.-]','_').ToLower()
if ($cleanName.Length -gt 20) {
    $cleanName = $cleanName.Substring(0,20)
}

When querying AD with special characters, proper escaping is crucial:


# Escaping a username with apostrophe
$escapedName = "John O''Brien" # Double the single quote
$filter = "(&(objectCategory=user)(samAccountName=$escapedName))"