Re: NT domain users missing username@domain entries

I didn't realize it is implicititly there.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"Jorge de Almeida Pinto [MVP - DS]"
<SubstituteThisWithMyFullNameSeparatedByDots@xxxxxxxxx> wrote in message
news:%23kcSL6u0IHA.2188@xxxxxxxxxxxxxxxxxxxxxxx
nope, you could still use the IMPLICIT UPN which is there
automatically....

lets say your AD domain is called: AD.MYCOMPANY.COM
lets say yout SMTP domain is called: MYCOOLCOMPANY.COM
lets say the user has the samaccountname: MYUSER
lets say the users' mail is: MY.SPECIAL.USER@xxxxxxxxxxxxxxxxx

the IMPLICIT upn = MYUSER@xxxxxxxxxxxxxxxx (this is just there under the
covers)

the explicit UPN COULD BE: MY.SPECIAL.USER@xxxxxxxxxxxxxxxxx (the same as
the mail address, IF YOU WANT TO!)

What can you do configure explicit UPNs:
(1) Use some LDAP write tool and populate the userPrincipalName attribute
with whatever you want
(2) Configure a UPN suffix at forest level (done with DOMAIN.MSC and it is
just an administrative thing, nothing special) which then will show up in
ADUC or when creating a user using ADUC
(3) Configure a UPN suffix at OU level (done with ADSIEDIT.MSC and it is
just an administrative thing, nothing special) which then will show up in
ADUC or when creating a user using ADUC
(4) A combination of 2 and 3

also read the multiple forests whitepaper which contains more info about
this
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/mtfstwp.mspx
--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"vap0rtranz" <justin4dti@xxxxxxxxxxxx> wrote in message
news:41943AED-FD3A-4F24-8CAF-6C8DA792F8E9@xxxxxxxxxxxxxxxx
Good info Jorge. So these old NT users need a UPN before we can expect
logons to always work correctly across trusted domains?

Justin
--
AIM/YIM/ICQ: vap0rtranz
Homepage: http://appstate.edu/~jp59031/

"Here on the moon, our weekends are so advanced, they encompass the
entire
week." - Ignignokt


"Jorge de Almeida Pinto [MVP - DS]" wrote:

some explanation here:

A user principal name (UPN) is a variation of a user account name that
looks
like an e-mail name but can be used to log on to a domain. The syntax is
<username>@<string>. UPNs allow you to use the same logon name across
different domains in the same forest or in different forests.

Two types of UPNs exist:
. Implicit UPN: Has the form "username@FQDNDomainName". The implicit UPN
is
always associated with the user's account, regardless of whether an
explicit
UPN is defined.
. Explicit UPN: Has the form "userIDstring@FQDNstring". Both
"userIDstring"
and "FQDNstring" (UPN suffix) are explicitly defined by the
administrator.
That information is stored in the userPrincipalName attribute

configuring the explicit UPN is a manual configuration and does not
occur
automagically ;-)

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"vap0rtranz" <justin4dti@xxxxxxxxxxxx> wrote in message
news:E7D8F117-640B-4B7C-B541-219B6BB07D23@xxxxxxxxxxxxxxxx
We inherited an NT domain that had been upgraded directly to 2003.
Users
that have been added since the upgrade get the new username@domain
fields
populated under Users & Computers; the old NT users only have the
pre-Windows
2000 domain\username fields populated. Will bumpting the
domain/forest
functional level up from 2003 Interim fix this? I bumped into some odd
ACLs
needed by a NAS box that allow only the new AD nomenclature ...

Justin
--
AIM/YIM/ICQ: vap0rtranz
Homepage: http://appstate.edu/~jp59031/

"Here on the moon, our weekends are so advanced, they encompass the
entire
week." - Ignignokt





.

Relevant Pages

  • Re: NT domain users missing username@domain entries
    ... Please no e-mails, any questions should be posted in the NewsGroup ... This posting is provided "AS IS" with no warranties, ... Implicit UPN: Has the form "username@FQDNDomainName". ... Explicit UPN: Has the form "userIDstring@FQDNstring". ...
    (microsoft.public.windows.server.active_directory)
  • Re: ActiveDirectoryMembershipProvider & ValidateUser
    ... It is entirely possible that your company is using implicit ... userPrincipalName values instead of expliciting setting them. ... if UPN isn't set, then the user will have an implicit UPN of ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Rendom does not modify default suffix upn ?
    ... I dont have any explicit UPN defined. ... I can change the value quite quickly by selecting all my user accounts, ... Do I have to run a script to modify every existing account? ...
    (microsoft.public.windows.server.active_directory)
  • Re: NT domain users missing username@domain entries
    ... you could still use the IMPLICIT UPN which is there automatically.... ... the explicit UPN COULD BE: MY.SPECIAL.USER@xxxxxxxxxxxxxxxxx ... Always test ANY suggestion in a test environment before implementing! ...
    (microsoft.public.windows.server.active_directory)
  • Re: DSMOD -UPN
    ... It is the EXPLICIT userPrincipalName attribute that our Internet filter ... * additionally you can configure an EXPLICIT UPN which can basically be ... The explicit UPN for a user is stored in the userPrincipalName ... Always test ANY suggestion in a test environment before implementing! ...
    (microsoft.public.windows.server.active_directory)