I need a way to identify users that won't change if our e-mail or username naming conventions change; they have in the past. We use LDAP, but our international offices use Active Directory, so I'm a little green here.
I've noticed from a dump that all users have a unique value assigned to uSNCreated. Is this globally unique for a user? Will it change if any of their properties change? Is this my holy grail of unique identifiers for AD?!
@sysadmin1138's answer is a little misleading. uSNCreated is not related to time; it is unique only on the DC. It is the DC's "highestCommittedUsn + 1" at the time of object creation. He is probably mixing it up with whenCreated, which is a 64-bit number representing the number of 100 nanosecond intervals since 12:00 am January 1, 1601...and also not necessarily unique. He is however correct that objectGuid, along with objectSid, are best used to track objects through attribute changes. Both are always set on all user objects and will never change w/o deleting and recreating the object...at which time all bets are off for tracking the object!
Why not use the value that Microsoft uses - the SID? This is stored as a binary in the objectSid attribute. Another benefit of this is that should your users be moved between domains in the future, the objectSid will be stored in sIDHistory so you can reconcile the changes.
That field is actually a sneaky date-time field and is not guaranteed to be unique. A better field for this is 'objectGUID'. That IS unique.