Concepts
sAMAccountName
Inside a domain there can be only one unique sAMAccountName. It is not possible to have multiple users with the same sAMAccountName inside a single domain.
The same sAMAccountName can exist in multiple domains of the same AD domain forest.
In AD Users and Computers the sAMAccountName is the User logon name (pre-Windows 2000).
userPrinicipalName
Microsoft has a detailed article about restrictions of the userPrincipalName (opens in a new tab).
The userPrincipalName is not a mandatory attribute and can be empty. Empty UPNs are considered as bad practice. In case of NADI, empty userPrincipalNames are not supported.
The AD Users and Computers MMC does not allow having multiple user objects the same userPrincipalName. With code (e.g. PowerShell) you can enforce that multiple users are having the same userPrincipalName. Duplicate UPNs are considered as bad practice. NADI does not support multiple users having the same userPrincipalName.
The userPrincipalName consists upon the username and its suffix. Both parts are separated by an ‘@’ character.
There can be the same UPN username with different UPN suffixes across domains of an AD domain forest.
For an AD domain there can be multiple suffixes defined (UPN suffixes).
The same UPN suffix has to be unique inside an AD domain forest.
In AD Users and Computers the userPrincipalName is the User logon name. The administrator can select one of the defined UPN suffixes.
GUID
A user’s GUID is globally unique. Inside an AD domain forest there will be no two users with the same GUID.
The GUID is not structured. You can not derive any information (like the user’s parent domain) of this.
The GUID won’t change during the lifetime of the user’s AD object.
Object SID
The user’s object SID is unique across domains in the AD Forest.
The user’s parent domain SID can be derived from the user’s SID. See How do I convert a SID between binary and string forms? (opens in a new tab) for more details.
If a user is moved to a different domain, the object SID will change. The previous SID is added to the sIDHistory attribute (opens in a new tab).
Distinguished Name
The distinguised name is unique across all user’s of the AD domain forest.
Relation between userPrincipalName and sAMAccountName
There is no relationship between both identifiers. The username part of userPrincipalName can be completely different from the sAMAccountName.
Login
Users can log-in with their userPrincipalName, sAMAccountName, distinguished name, or GUID.