After defining the desired UPN in Active Directory Domains and Trusts, I realized that there was no good way to "force" new accounts use this UPN. The person at the site responsible for adding and removing users generally isn't a full-time IT person, so while you can give instructions, you can't guarantee that they'll be followed. To work around this, I whipped up a few lines of PowerShell and dropped it into task scheduler. It runs every 10 minutes and queries AD for all users in a specific OU structure that have the undesirable UPN and changes it to the desired one.
Thursday, February 14, 2013
Scripting UPN suffix changes in PowerShell
I've been doing a little consulting work on the side lately. One client is using an alternate UPN suffix to make a "pretty" UPN even though they're using a subdomain for their Active Directory as I recommend here. Since the end users will be instructed to "log in with their email address" it's important that all user accounts have the proper UPN set.
After defining the desired UPN in Active Directory Domains and Trusts, I realized that there was no good way to "force" new accounts use this UPN. The person at the site responsible for adding and removing users generally isn't a full-time IT person, so while you can give instructions, you can't guarantee that they'll be followed. To work around this, I whipped up a few lines of PowerShell and dropped it into task scheduler. It runs every 10 minutes and queries AD for all users in a specific OU structure that have the undesirable UPN and changes it to the desired one.
After defining the desired UPN in Active Directory Domains and Trusts, I realized that there was no good way to "force" new accounts use this UPN. The person at the site responsible for adding and removing users generally isn't a full-time IT person, so while you can give instructions, you can't guarantee that they'll be followed. To work around this, I whipped up a few lines of PowerShell and dropped it into task scheduler. It runs every 10 minutes and queries AD for all users in a specific OU structure that have the undesirable UPN and changes it to the desired one.
Subscribe to:
Post Comments (Atom)
Thanks for this. @jscott let me know about this. One thing I did discover is that the replace method is case sensitive. Thanks again for this quick fix!
ReplyDeleteThank you!!! Case-sensitive domain names. Was wondering what the hell I was doing wrong.
DeleteI need to modify the User Logon name that forms the first part of the UPN: oldupn@wherever.com to new.upn@wherever.com
ReplyDeleteI need to combine the givenname "new" and SN "upn" to make the "new.upn"
Any suggestions welcomed. regards.
Should be easy. Use .Split() to split the existing UPN at the @ and take the first element of the resulting array to feed to Replace() for each user. In this case, instead of replacing the suffix, you'll replace the prefix.
DeleteHi Mark, would you have an example of the script required for doing this?
DeleteChanging the username part as well oldupn@wherever.com to new.upn@wherever.com
Thanks.
I am also interested in the same UPN change that Anonymous is asking about. I only need to change the prefix from LastNameFirstInitial to FirstName_LastName. The suffix can stay the same. I'm not a scripting person, so is there anyone out there who can show a script that does just that? Thank you.
DeleteThis script worked great for my entire domain. I had tried several different variants from other authors of the same idea that ran with no errors but made absolutely no changed to the users. Thanks a lot!
ReplyDeleteHello!
ReplyDeleteThanks for this!
But if you have Troubles with case sensitive Charakters, try this:
case sensitive:
$upn = $_.UserPrincipalName.Replace("ad.example.com","example.com")
case insensitive:
$upn = $_.UserPrincipalName -replace "ad.example.com","example.com"
I hope this helps someone. :-)
Is this script still available - I am unable to view it?
ReplyDeleteIt's still there. You must be on a network that can't access Pastebin
DeleteHow do I update UPN suffix when the suffix is not defined. For the Get-aduser, i'm using -notlike our domain name but how do i do the foreach for empty suffix?
ReplyDelete