I’m working on a user permissions system for an internal admin webapp. I had the idea to use user’s ActiveDirectory guids to match permissions with users instead of using their usernames. This is done in case they change their username – I’ve been assured this will happen often enough.
Then I started to wonder: instead of worrying about the guid and using it to resolve their username, does ActiveDirectory keep a record of previous usernames?
If it did, when an unknown user tries to connect, we can check if their previous username has permissions set up and update the database with their username automatically.
No, Active Directory does not keep a history of prior user names. Using the GUID is absolutely the best thing that you can do.
In fact, when our company ran into a similar issue several years ago, we ended up building our own “AD Snapshot Writer” that would poll AD periodically for the changes, calculate deltas, and store the results for the attributes that we needed (user name, e-mail addresses, etc.) in a database with temporal attributes.