Re: DSMOD -UPN

---

• From: Steve Audus, Chaucer BEC, Sheffield UK <SteveAudusChaucerBECSheffieldUK@xxxxxxxxxxxxxxxxxxxxxxxxx>
• Date: Mon, 28 Jul 2008 05:23:08 -0700

---

Jorge,

Thank for the reply,
I have used "csvde -f" command to output a file of our 1000+ users,
and many do not have "userPrincipalName" a value, some do.

When I look at the Account Properties in AD Users and Computers for these
users either thier "User logon name:" is blank or/and the domain is not
selected in the drop down list.

It is the EXPLICIT userPrincipalName attribute that our Internet filter
displays.

So I do need to create a batch or command to edit this attribute for muliple
users.

Any other suggestions?

Thank you
Steve


"Jorge de Almeida Pinto [MVP - DS]" wrote:

although you do not see a UPN configured in ADUC, each user in AD has a UPN
whether or not you configure it.

* each user in AD by default has an IMPLICIT UPN which always matches
<sAMAccountName>@<AD DOMAIN>. The implicit UPN is just there!
* additionally you can configure an EXPLICIT UPN which can basically be
anything like for example the e-mail address <My Name>@<My Comapnies
Domain>. The explicit UPN for a user is stored in the userPrincipalName
attribute

whether or not you use the explicit UPN, authentication will always revert
to and use the implicit UPN. The ability to configure another UPN is just
accomodate admins to configure another UPN

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Steve Audus, Chaucer BEC, Sheffield UK"
<SteveAudusChaucerBECSheffieldUK@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:B85FB8B8-D057-43A9-A193-EDEB71FB0621@xxxxxxxxxxxxxxxx

We have a large selection of users without userPrinicipalName, which is
required for the authentication for our internet filter. I'd like to
quickly
do a dsquery and dsmod script to correct this problem, but am stuck with
the
syntax.

Can anyone help? the UPN should be %username%@xxxxxxxxxxxxxxxxxxx

Any suggestions?

Thank you

.

---

• Follow-Ups:
  • Re: DSMOD -UPN
    • From: Jorge de Almeida Pinto [MVP - DS]

• References:
  • DSMOD -UPN
    • From: Steve Audus, Chaucer BEC, Sheffield UK
  • Re: DSMOD -UPN
    • From: Jorge de Almeida Pinto [MVP - DS]

• Prev by Date: Re: Office XP Access Uninstall only with Group Policy
• Next by Date: Re: Some basic questions re AD
• Previous by thread: Re: DSMOD -UPN
• Next by thread: Re: DSMOD -UPN
• Index(es):
  • Date
  • Thread

---

Relevant Pages Duplicate UPNs and "default UPN" ... I've been continuing to try to figure out what was going on with a situation that I described in an earlier thread where an LDAP authentication was failing when using the user's name in UPN format: ... As mentioned at the end of the last thread, I was able to create a situation where attempting to authenticate using the user's UPN, as contained in the "userPrincipalName" attribute, would fail, by creating two different users, in two different containers, with both users having their userPrincipalName attribute set to the same value. ... ldifde with a simple bind with that UPN formatted username would then fail, but using a full DN, I could authenticate. ... (microsoft.public.windows.server.active_directory) Re: ActiveDirectoryMembershipProvider & ValidateUser ... It is entirely possible that your company is using implicit ... userPrincipalName values instead of expliciting setting them. ... if UPN isn't set, then the user will have an implicit UPN of ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... (microsoft.public.dotnet.framework.aspnet.security) Re: DSMOD -UPN ... if %USERNAME% is the same as samaccountname and CHAUSERSCHOOL.LOCAL is the same as your AD domain name, THEN through the implicit UPN, which is what you said, already allows to authenticate using that UPN. ... Or does the Internet Filter check the userPrincipalName? ... Always test ANY suggestion in a test environment before implementing! ... (microsoft.public.windows.server.active_directory) Re: NT domain users missing username@domain entries ... you could still use the IMPLICIT UPN which is there automatically.... ... the explicit UPN COULD BE: MY.SPECIAL.USER@xxxxxxxxxxxxxxxxx ... Always test ANY suggestion in a test environment before implementing! ... (microsoft.public.windows.server.active_directory) Re: DSMOD -UPN ... what do you want the UPN to be? ... BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ... Always test ANY suggestion in a test environment before implementing! ... The explicit UPN for a user is stored in the userPrincipalName ... (microsoft.public.windows.server.active_directory)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(16)