What is the best security practice for creating/changing user names/IDs?

I know of no security benefit of changing user names and IDs and can not find anything written which supports it. In fact, quite the opposite, in most organizations users have too many user names/IDs and in the interests of management and maintenances and security the goal is to identify all user IDs that are the same person. Think of changing your name in the real world. The benefit to a name change (other than legal issues such as marriage, divorce) is to confuse creditors, escape debt and other legal issues, to disguise yourself while committing a crime, etc. Also, when legal name changes are made, it is often time-consuming and problematic to get all your credit cards, history and ownership etc moved to the new name. Similar issues exist in IT.

That said, there may be a reason to do so, if for example you have identified a specific ID with a web site logon and saved it in Windows, you may need to change it to match a new identity give to you by the web site. A procedure for doing so can be found at http://support.microsoft.com/default.aspx?scid=kb;en-us;q306541&sd=tech.

Finally, it might be wise to establish a security policy that prohibits or restricts name changes unless there are accompanying legal practices, or some consolidation, or move to single sign on, or merger with other systems that use different naming conventions is required.