Set Default UPN Suffix for Creating New Users in Active Directory

Solution 1:

This can't be done as far as I know (Evan's answer is still true 4 years later).

That said, I've written a script that runs in task scheduler every few hours at more than one client. It searches for a specific suffix (the default in most cases) and switches it to another. The script is on my blog but I'll post it here as well :)

Import-Module ActiveDirectory


Get-ADUser -Filter {UserPrincipalName -like "*@ad.example.com"} -SearchBase "OU=SomeUserOu,DC=ad,DC=example,DC=com" |
ForEach-Object {
    $UPN = $_.UserPrincipalName.Replace("ad.example.com","example.com")
    Set-ADUser $_ -UserPrincipalName $UPN
}

In this case, users created with an ad.example.com UPN suffix will be updated with example.com suffix.

Solution 2:

There is no documented mechanism that I am aware of to change the default UPN suffix that gets chosen by Active Directory Users and Computers. I believe that the tool is hard-wired to take the first portion of the "canonicalName" attribute defined on the "crossRef" object for the domain specified in "CN=Partitions,CN=Configuration, ..." in your forest.

AD Users and Computers just happens to be hard-wired to do this. If you create user accounts using other means ("NET USER ... /add", for example) then no userPrincipalName attribute will be assigned to the account. The default UPN suffix is really just a default in AD Users and Computers, not a default of the directory service itself.

Should you run into the Microsoft KB article with a script in it that shows you how to programmatically obtain the default UPN suffix (http://support.microsoft.com/default.aspx?scid=kb;en-us;Q269441), beware that the script has a couple of syntax errors in it (lines 17 and 32 are malformed and srrNamingContext on line 32 should be strNamingContext). I'll include a fixed version with a minor improvement at the end of this post (it shows you the names of individual OUs where additional UPN suffixes might be defined).

I'd love to be corrected by somebody more "in the know" than me, but I'm not seeing any way to get AD Users and Computers to act differently.

' --- Get the naming contexts ----
Set RootDSE = GetObject("LDAP://RootDSE")
strNamingContext = RootDSE.Get("defaultNamingContext")
strConfigContext = RootDSE.Get("configurationNamingContext")

' -- Get the current domain name --
Set oDomain = GetObject("LDAP://" + strNamingContext)
strDomainName = oDomain.Get("name")

Set oPartition = GetObject("LDAP://CN=Partitions," & strConfigContext)

'-- Get the DNS name of the domain --
oDomain.GetInfoEx Array("canonicalName"), 0
strCanonical = oDomain.Get("canonicalName")
strDNSName = Left(strCanonical, Len(strCanonical) - 1) 'clip off "/"

'-- Display the default UPN suffix
wscript.echo strDNSName

'-- Get the defined upnSuffixes --
suffixes = oPartition.GetEx("UPNSuffixes")
For Each upnSuffix In suffixes
  wscript.echo upnSuffix
Next
Set RootDSE = Nothing
Set oDomain =Nothing
Set oPartition = Nothing

' -- Get the upnsuffixes defined on organizational units --
Set ADOconn = CreateObject("ADODB.Connection")
Set ADOcom = CreateObject("ADODB.Command")

ADOconn.Provider = "ADsDSOObject"
bstrADOQueryString = "<LDAP://" + strNamingContext + ">;(objectcategory=organizationalUnit);upnsuffixes,ADsPath;subtree"
wscript.echo bstrADOQueryString 
ADOconn.Open
ADOcom.ActiveConnection = ADOconn

ADOcom.CommandText = bstrADOQueryString
ADOcom.Properties("Page Size") = 99

Set objRS = ADOcom.Execute

While Not objRS.EOF
   If Not IsNull(objRS.Fields("upnSuffixes")) Then
    upnsuffixes = objRS.Fields("upnSuffixes")
    For Each upnsuffix In upnsuffixes
        wscript.echo objRS.Fields("adsPath") & " - Suffix: " & upnsuffix
    Next
   End If

   objRS.MoveNext
Wend

Set objRS = Nothing
Set ADOcom = Nothing
Set ADOconn = Nothing