User accounts in Active Directory have two types of logon credentials: pre-Windows 2000 (or the so called down-level) logon name, and UPN (User Principal Name) – Fig1 .

The UPN is the preferred logon method, according to Microsoft documentation. By convention, the UPN should map the user’s e-mail address. That will consolidate the e-mail and logon namespaces so that the user will have to remember and use a single name.

The UPN which you see and which you can modify, in Active Directory Users and Computers or in Active Directory Administrative center is the so called explicit User Principle Name. It’s value is stored in the userPrincipleName attribute of the user account. As we demonstrate in Step1, there is one more UPN, associated with each account – the Implicit User Principle Name. It is based on the sAMAccountName attribute and the Active Directory DNS domain name of the account. You cannot delete the implicit UPN, and modifying the sAMAccount name changes automatically the implicit UPN. In addition, Active Directory always uses the implicit UPN in Kerberos authentication – Step3.

For you convenience, Microsoft provides one more UPN – the so called UPN with flat domain name, which uses the NetBIOS AD domain name, instead of the DNS one.

We discuss the different types of UPN and demonstrate their use on local domain clients (Windows XP and Windows 7) and remote (Outlook Web App and Outlook Anywhere) clients.

Next we focus on adding UPN suffixes:
– For the whole forest, in Active Directory Users and Computers
– For specific Organization Unit, in ADSIEDT.msc

Then we compare the use of Active Directory Administrative Center and Active Directory Users and Computers and outline some of the limitations of the latter when specifying UPN suffix for a specific OU.

Finally, we demonstrate how to bulk modify the explicit UPN in Exchange Management shell to match the e-mail address of the accounts Fig2 . It is important to be careful when performing bulk operations in Active Directory. We show you how to limit the scope of the shell commands and test the result first with a small OU (Organizational Unit), and how to use the WhatIf switch before applying the changes.

For your convenience, we have published the text file with the commands which we are using in the Screencast here .

Step 1 In this step, we discuss and demonstrate the different types of UPN. You will see how to check the UPN which you are currently using and which one is listed in your cached Kerberos tickets.

Step 2 In this step, we demonstrate how to add alternative UPN suffixes – for the entire forest and for a specific Organizational Unit. Then we compare the two graphical user interfaces, which you can use to configure UPN – ADUC and Active Directory Administrative Center and outline some of the ADUC limitations.

Step 3 Finally, we show you how to bulk set e-mail address as UPN in Exchange Management Shell. We start with pre-testing the approach with a small OU and using the WhatIf switch. , and continue with modifying all accounts in the forest.