User accounts in Active Directory have two types of logon credentials: pre-Windows 2000 (or the so called down-level) logon name, and UPN (User Principal Name). The UPN is the preferred logon method, according to Microsoft documentation. By convention, the UPN should map the user’s e-mail address. That will consolidate the e-mail and logon namespaces so that the user will have to remember and use a single name.
The UPN which you see and which you can modify, in Active Directory Users and Computers or in Active Directory Administrative center is the so called explicit User Principle Name. It’s value is stored in the userPrincipleName attribute of the user account. As we demonstrate in Step1, there is one more UPN, associated with each account – the Implicit User Principle Name. It is based on the sAMAccountName attribute and the Active Directory DNS domain name of the account. You cannot delete the implicit UPN, and modifying the sAMAccount name changes automatically the implicit UPN. In addition, Active Directory always uses the implicit UPN in Kerberos authentication.
For you convenience, Microsoft provides one more UPN – the so called UPN with flat domain name, which uses the NetBIOS AD domain name, instead of the DNS one.
In the following Step-by-Step video tutorial, we discuss the different types of UPN and demonstrate their use on local domain clients (Windows XP and Windows 7) and remote (Outlook Web App and Outlook Anywhere) clients.
Next we focus on adding UPN suffixes:
– For the whole forest, in Active Directory Users and Computers
– For specific Organization Unit, in ADSIEDT.msc
Then we compare the use of Active Directory Administrative Center and Active Directory Users and Computers and outline some of the limitations of the latter when specifying UPN suffix for a specific OU.
Finally, we demonstrate how to bulk modify the explicit UPN in Exchange Management shell to match the e-mail address of the accounts.
Stay tuned on NetoMeter – subscribe to NetoMeter RSS.
Dean