(2010-10-12) User Principal Names In AD (Part 2)

The implicit UPN (iUPN) is not stored in any attribute. It is just there and it depends on the username (e.g. ID12345) and the FQDN of the AD domain (e.g. ADCORP.LAB). However, the explicit UPN (eUPN) is stored in the attribute called "userPrincipalName" on the user object in AD. You can see an example of that in the following pictures.

With any LDAP tool (e.g. Attribute Editor, LDP, ADSIEDIT, DSMOD, ADMOD, etc.) you can configure any value you like in the "userPrincipalName" attribute, using any UPN Suffix you like also. However when using either Active Directory Users and Computers (ADUC) or Active Directory Administrative Center (ADAC) you can only configure UPNs with either one of the following UPN Suffixes:

• The default UPN Suffix which is the same as the FQDN of the AD domain. So for the AD domain "ADCORP.LAB", the default UPN Suffix is also "ADCORP.LAB".
  
• One or more custom UPN Suffixes which can be configured at AD forest level through Active Directory Domains and Trusts (ADDT) or by configuring the "uPNSuffixes" attribute on the "Partitions" container in the configuration naming context (the "uPNSuffixes" attribute on the "Partitions" container is a multivalued attribute that stores a list of custom eUPN suffixes for the AD forest);
  

• One or more custom UPN Suffixes which can be configured at OU level by configuring the "uPNSuffixes" attribute on the OU where user accounts reside (the "uPNSuffixes" attribute is a multivalued attribute that stores a list of custom eUPN suffixes for that OU only).
  

Looking at the possible configurable and usable options the following behavior exists when creating or editing user objects:

1. When no custom UPN Suffixes have been configured at any level, both ADUC and ADAC will only show the default UPN Suffix for the corresponding AD domain;
   

 

1. When custom UPN Suffixes have been configured at AD forest level, both ADUC and ADAC will show the default UPN Suffix for the corresponding AD domain and any custom UPN Suffix;
   

 

1. When custom UPN Suffixes have (also) been configured at OU level, a difference exists in the behavior between ADUC and ADAC. The difference is:
   
   1. ADUC will only show custom UPN Suffixes that have been configured at OU level where the user object is located. It will not inherit UPN Suffixes from parent container objects;
      
   2. ADAC will show the default UPN Suffix for the corresponding AD domain including any custom UPN Suffixes configured at AD forest and/or OU level. It will also not inherit UPN Suffixes from parent container objects;
      

 

If you want to remove any of the custom specified UPN Suffixes, it will not impact the existing configured UPN values on existing user objects. The configured values will remain configured. It will, of course, only impact newly created user objects after the removal of the custom UPN Suffix. Removing a custom UPN Suffix at AD forest level will impact UPN Suffix Routing over a Forest Trust, but that’s another story for a new blogpost!

Remember though, while ADUC and ADAC allow you to use a preconfigured UPN Suffix, nothing prevents you from using any LDAP tool (e.g. Attribute Editor, LDP, ADSIEDIT, DSMOD, ADMOD, etc.) and write whatever you like into the "userPrincipalName" attribute on the user object.

–

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————