Re: NT domain users missing username@domain entries
- From: "Jorge de Almeida Pinto [MVP - DS]" <SubstituteThisWithMyFullNameSeparatedByDots@xxxxxxxxx>
- Date: Fri, 20 Jun 2008 17:58:17 +0200
nope, you could still use the IMPLICIT UPN which is there automatically....
lets say your AD domain is called: AD.MYCOMPANY.COM
lets say yout SMTP domain is called: MYCOOLCOMPANY.COM
lets say the user has the samaccountname: MYUSER
lets say the users' mail is: MY.SPECIAL.USER@xxxxxxxxxxxxxxxxx
the IMPLICIT upn = MYUSER@xxxxxxxxxxxxxxxx (this is just there under the covers)
the explicit UPN COULD BE: MY.SPECIAL.USER@xxxxxxxxxxxxxxxxx (the same as the mail address, IF YOU WANT TO!)
What can you do configure explicit UPNs:
(1) Use some LDAP write tool and populate the userPrincipalName attribute with whatever you want
(2) Configure a UPN suffix at forest level (done with DOMAIN.MSC and it is just an administrative thing, nothing special) which then will show up in ADUC or when creating a user using ADUC
(3) Configure a UPN suffix at OU level (done with ADSIEDIT.MSC and it is just an administrative thing, nothing special) which then will show up in ADUC or when creating a user using ADUC
(4) A combination of 2 and 3
also read the multiple forests whitepaper which contains more info about this
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/mtfstwp.mspx
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #
BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"vap0rtranz" <justin4dti@xxxxxxxxxxxx> wrote in message news:41943AED-FD3A-4F24-8CAF-6C8DA792F8E9@xxxxxxxxxxxxxxxx
Good info Jorge. So these old NT users need a UPN before we can expect
logons to always work correctly across trusted domains?
Justin
--
AIM/YIM/ICQ: vap0rtranz
Homepage: http://appstate.edu/~jp59031/
"Here on the moon, our weekends are so advanced, they encompass the entire
week." - Ignignokt
"Jorge de Almeida Pinto [MVP - DS]" wrote:
some explanation here:
A user principal name (UPN) is a variation of a user account name that looks
like an e-mail name but can be used to log on to a domain. The syntax is
<username>@<string>. UPNs allow you to use the same logon name across
different domains in the same forest or in different forests.
Two types of UPNs exist:
• Implicit UPN: Has the form “username@FQDNDomainName”. The implicit UPN is
always associated with the user’s account, regardless of whether an explicit
UPN is defined.
• Explicit UPN: Has the form “userIDstring@FQDNstring”. Both “userIDstring”
and “FQDNstring” (UPN suffix) are explicitly defined by the administrator.
That information is stored in the userPrincipalName attribute
configuring the explicit UPN is a manual configuration and does not occur
automagically ;-)
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #
BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"vap0rtranz" <justin4dti@xxxxxxxxxxxx> wrote in message
news:E7D8F117-640B-4B7C-B541-219B6BB07D23@xxxxxxxxxxxxxxxx
> We inherited an NT domain that had been upgraded directly to 2003. > Users
> that have been added since the upgrade get the new username@domain > fields
> populated under Users & Computers; the old NT users only have the
> pre-Windows
> 2000 domain\username fields populated. Will bumpting the domain/forest
> functional level up from 2003 Interim fix this? I bumped into some odd
> ACLs
> needed by a NAS box that allow only the new AD nomenclature ...
>
> Justin
> -- > AIM/YIM/ICQ: vap0rtranz
> Homepage: http://appstate.edu/~jp59031/
>
> "Here on the moon, our weekends are so advanced, they encompass the > entire
> week." - Ignignokt
.
- Follow-Ups:
- Re: NT domain users missing username@domain entries
- From: Paul Bergson [MVP-DS]
- Re: NT domain users missing username@domain entries
- References:
- Re: NT domain users missing username@domain entries
- From: Jorge de Almeida Pinto [MVP - DS]
- Re: NT domain users missing username@domain entries
- From: vap0rtranz
- Re: NT domain users missing username@domain entries
- Prev by Date: Re: GPO for opening home page in new tab not working in IE7
- Next by Date: Re: import error with ldifde
- Previous by thread: Re: NT domain users missing username@domain entries
- Next by thread: Re: NT domain users missing username@domain entries
- Index(es):
Relevant Pages
|
Loading
