Store SID or Username in database for AD Accounts?

Question

A C# application I am developing needs to store some metadata for any users of the application (e.g for App Preferences, Permissions, etc). We are using AD for authorisation/authentication.

Is it better to store the SID or the DOMAIN/Username in the application database to identify an AD Account?

Answer 1

I've done this both ways...

• If you store the SID, then you can rename the account without breaking the app, but it's not human readable.
• If you store the username, then it's easy to read, but you have to update your data if the account gets renamed.

Answer 2

I'd store the SID, and use LookupAccountSID when/if you need to display the name associated with that account.

Answer 3

We've built a small class to concatenate the two and only compare on the sid. The format is similar to the following string:

"Domain\\User\nS-1-5-21-...........-1129"

This allows us to 'friendly' names in the database and debugger, yet all bindings are actually on the sid part of the value.

What happens when the user name changes you ask? The data is stale and stays that way :)

BTW, if you do something like this make sure you can't get the 'display name' out of the object since you don't want it to be displayed to a user as it may be stale. Instead provide a LookupUserName() routine that performs the correct resolution of the SID to an account name.

Lastly, be sure to store the SID however you do it. You don't want to store JDoe and when Jane quits and John starts a month later he has suddenly has access?