12

Is there a way to set the default UPN suffix for creating new users an Active Directory?

For example, if I have corp.mydomain.com as my AD domain, and I've added an alternate UPN suffix under Domains and Trusts that is just mydomain.com, is there any way to have that domain be the default when creating new users?

I know I can just create a template user and then when I copy it, it will have the right default suffix, but just curious as to whether there was a hidden setting that would control this.

Mark Henderson
  • 68,316
  • 31
  • 175
  • 255
Adam Brand
  • 6,057
  • 2
  • 28
  • 40

5 Answers5

12

This can't be done as far as I know (Evan's answer is still true 4 years later).

That said, I've written a script that runs in task scheduler every few hours at more than one client. It searches for a specific suffix (the default in most cases) and switches it to another. The script is on my blog but I'll post it here as well :)

Import-Module ActiveDirectory


Get-ADUser -Filter {UserPrincipalName -like "*@ad.example.com"} -SearchBase "OU=SomeUserOu,DC=ad,DC=example,DC=com" |
ForEach-Object {
    $UPN = $_.UserPrincipalName.Replace("ad.example.com","example.com")
    Set-ADUser $_ -UserPrincipalName $UPN
}

In this case, users created with an ad.example.com UPN suffix will be updated with example.com suffix.

Esa Jokinen
  • 43,252
  • 2
  • 75
  • 122
MDMarra
  • 100,183
  • 32
  • 195
  • 326
  • I got to thinking about using AD change notifications to do this kind of thing in realtime but that would be silly overkill. – Evan Anderson Oct 15 '13 at 16:38
  • 3
    UPN is becoming more and more important with O365 and dirsync requirements for ADFS SSO. You'd think there'd be something baked in by now :) – MDMarra Oct 15 '13 at 16:44
  • Sometimes I think I'm the only person actually _using_ Microsoft's products. >smile< I'm getting ready to do my first Office365 implementation in the next couple of weeks (complete w/ hybrid on-site/off-site Exchange) so I'll get to experience all of that ADFS SSO and DirSync fun soon enough. – Evan Anderson Oct 15 '13 at 17:31
  • I don't do O365 directly (we have a couple collab guys on staff), but I've done some Intune work which uses the same Azure tenant AD. I hope your first ride is smoother than mine was :) – MDMarra Oct 15 '13 at 17:47
  • Adding a note that the .Replace is case sensitive, so if the UserPrincipalName is "username@AD.Example.com", it won't match the string of "ad.example.com". This can be adding a .toLower() method first like this: $UPN = $_.UserPrincipalName.toLower().Replace("ad.example.com","example.com") – Chad Rexin Dec 04 '17 at 21:45
9

There is no documented mechanism that I am aware of to change the default UPN suffix that gets chosen by Active Directory Users and Computers. I believe that the tool is hard-wired to take the first portion of the "canonicalName" attribute defined on the "crossRef" object for the domain specified in "CN=Partitions,CN=Configuration, ..." in your forest.

AD Users and Computers just happens to be hard-wired to do this. If you create user accounts using other means ("NET USER ... /add", for example) then no userPrincipalName attribute will be assigned to the account. The default UPN suffix is really just a default in AD Users and Computers, not a default of the directory service itself.

Should you run into the Microsoft KB article with a script in it that shows you how to programmatically obtain the default UPN suffix (http://support.microsoft.com/default.aspx?scid=kb;en-us;Q269441), beware that the script has a couple of syntax errors in it (lines 17 and 32 are malformed and srrNamingContext on line 32 should be strNamingContext). I'll include a fixed version with a minor improvement at the end of this post (it shows you the names of individual OUs where additional UPN suffixes might be defined).

I'd love to be corrected by somebody more "in the know" than me, but I'm not seeing any way to get AD Users and Computers to act differently.

' --- Get the naming contexts ----
Set RootDSE = GetObject("LDAP://RootDSE")
strNamingContext = RootDSE.Get("defaultNamingContext")
strConfigContext = RootDSE.Get("configurationNamingContext")

' -- Get the current domain name --
Set oDomain = GetObject("LDAP://" + strNamingContext)
strDomainName = oDomain.Get("name")

Set oPartition = GetObject("LDAP://CN=Partitions," & strConfigContext)

'-- Get the DNS name of the domain --
oDomain.GetInfoEx Array("canonicalName"), 0
strCanonical = oDomain.Get("canonicalName")
strDNSName = Left(strCanonical, Len(strCanonical) - 1) 'clip off "/"

'-- Display the default UPN suffix
wscript.echo strDNSName

'-- Get the defined upnSuffixes --
suffixes = oPartition.GetEx("UPNSuffixes")
For Each upnSuffix In suffixes
  wscript.echo upnSuffix
Next
Set RootDSE = Nothing
Set oDomain =Nothing
Set oPartition = Nothing

' -- Get the upnsuffixes defined on organizational units --
Set ADOconn = CreateObject("ADODB.Connection")
Set ADOcom = CreateObject("ADODB.Command")

ADOconn.Provider = "ADsDSOObject"
bstrADOQueryString = "<LDAP://" + strNamingContext + ">;(objectcategory=organizationalUnit);upnsuffixes,ADsPath;subtree"
wscript.echo bstrADOQueryString 
ADOconn.Open
ADOcom.ActiveConnection = ADOconn

ADOcom.CommandText = bstrADOQueryString
ADOcom.Properties("Page Size") = 99

Set objRS = ADOcom.Execute

While Not objRS.EOF
   If Not IsNull(objRS.Fields("upnSuffixes")) Then
    upnsuffixes = objRS.Fields("upnSuffixes")
    For Each upnsuffix In upnsuffixes
        wscript.echo objRS.Fields("adsPath") & " - Suffix: " & upnsuffix
    Next
   End If

   objRS.MoveNext
Wend

Set objRS = Nothing
Set ADOcom = Nothing
Set ADOconn = Nothing
Evan Anderson
  • 141,071
  • 19
  • 191
  • 328
  • I was hoping there was some registry entry or something. I'll mark this as correct if no one else chimes in with anything in the next 24h. – Adam Brand Jul 26 '09 at 15:45
  • In our case we run a daily script which checks UPN of each user and if they don't have standard naming, it changes them to standard. This script looks at many attributes and corrects them if required. – KAPes Aug 10 '09 at 02:23
  • @KAPes: That's a neat idea. At sites where multiple delegated AD administrators create user accounts I've normally deployed scripts to do most of the provisioning chores. Still, I could see scripting up some LDAP queries to generate "Hey, dummy-- you provisioned this wrong!" emails (or, obviously, to fix things automatically when the computer has enough information to do it automatically). – Evan Anderson Aug 10 '09 at 02:44
  • Evan's answer is still correct. Some have also suggested setting the uPNSuffixes attribute on the OU. This will simply override the list uPNSuffixes set on the domain but will still default to the canonicalName of the domain. – charleswj81 Oct 15 '13 at 16:01
0

You can set the allowed UPN Suffixes, by going into ADSIEDIT.MSC, plug down to the OU Structure, right click the OU (in the default configuration), and edit the OU Attributes. The OU Attribute to edit is UPNSuffixes. This does not affect however, the default UPN assigned to a user created within that OU. Add the desired UPN Suffix to this list. Next, create a template user to Copy. Right click the OU, create a new user to use as a template, assign the correct UPN Suffix, and then right click the user once created and disable account. To create a new user, right click the template user and copy .. fill out the selected fields, and the new user will be created with the proper UPN. Create multiple template users for the different UPNS. Or, if in doubt, switch to powershell.

Justin Robbins
  • 1
-3

Actually, you can run in the Active Directory Module for Powershell: Set-ADOrganizationalUnit "OU=XXX,DC=Domain,DC=com" -Add @{upnsuffixes="@UPNSuffix.com".

Or you could use a "Get-adorganizationalUnit" with a -Filter switch and pipe that to a 'Set-ADOrganizationalUnit -Add @{upnsuffixes="@UPNSuffix.com"'

I found this after looking for quite a while, so I hope this helps anyone.

Herb Huddleston
  • 1
-4

This technet article describes how to add or remove UPN suffixes in your domain:

http://technet.microsoft.com/en-us/library/cc756018(WS.10).aspx

There's also a discussion of it here:

http://technet.microsoft.com/en-us/library/cc739093(WS.10).aspx

I can't vouch for it personally as I've never had to do this, but one thing does spring to mind. If you're going to do this you'll need to bear in mind that while AD will work correctly, the same might not be the case for any 3rd party software you have, which may assume that the UPN suffix is always the standard one. Consider the consequences carefully before making the change, in other words.

JJS
  • 143
  • 6
Maximus Minimus
  • 8,937
  • 1
  • 22
  • 36