Changing Domain Users’ ‘User Logon Names’ and UPN’s

KB ID 0001238

Problem

Changing a users UPN suffix is easy (as long as it’s been added – see below). There is some confusion about the User Login Name though.

UPN and sAMAccountName

 

A few weeks ago I had a client that needed this done, (for an office 365 migration). But they had the added problem that some of their User Logon Names had spaces in them, they were in first-name{space}last-name format.

What would happen if I changed their user logon names? Would they have to use a different logon name? Would their profile break? Or worse still, would they all lose their roaming profiles?

 Solution

Adding A New UPN Suffix

Before you can add a new UPN suffix you need to make it available in the domain. Administrative Tools > Active Directory Domains and Trusts > Right Click ‘Active Directory Domains and Trusts’  > Properties > Add the new Suffix  >Apply > OK.

Add a New UPN Suffix

From this point forward you can add that as a new suffix for any/all users.

The Effect of Changing a User Logon Name

Using the same user as above, I’ve changed the ‘User Logon Name’, and added the new UPN Suffix to test.

Change a Users UPN

How Does Changing a User Logon Name Affect Profile and Home Drive Paths?

Put simply it does not! To prove it I did some testing. The profile and home drive path of this user’s is set on the ‘profile’ tab of their user object.

UPN Changes and Profile Paths

It remains the same after the User Logon Name changes. When these users were setup the profile paths and home drive paths were all set ‘on mass’, by selecting multiple users and setting the path to \\server-name\folder-name\%username% and it fills in all the ‘usernames‘ with the sAMAccountName and that has not changed.

Does the User Have to Change their Logon Name?

Confusingly users don’t log on with their User Logon Name (Usually, but they can if they wanted to) from all the way back to NT4 we have logged on with the DOMAIN-NAME\USER-NAME format which uses the sAMAccountName, NOT the User Logon Name. If you look at the very first picture at the top of the page you can see that below the UPN. Its called the User name (pre-Windows 2000). You may not of even have noticed, but on Windows 10 they put this right in your face on the logon screen.

Logon Names and UPN

Whats the Point of a UPN Then?

You can actually authenticate, and log on with your UPN, (see below)

Logon with UPN

This logs on as the user in the example above with the correct profile, and group membership etc. Though it’s not common practice to logon with a UPN. Microsoft Now Have a Very BAD HABIT of telling users, (and putting in their documentation), to ‘Log on with your Email AddressThis is wrong, you actually are logging on with your UPN, Microsoft are making the assumption, that your Email and UPN are the same. This is why blogs and forums are full of scripts to change your UPN so that it matches your email address. They assume, (usually quite rightly, that if you tell users to log on with their UPN they will be confused and not know what that is). So rather than address this problem, they tell users to log on with their Email addresses. That’s the real reason we are talking about changing UPN’s, and probably why your here in the first place.

Some Users Don’t Have UPN’s?

This is normal, don’t panic, a user does not have to have a UPN, if you are seeing blank entries that user was probably migrated via a script or tool into your AD, or simply was migrated from an older version of AD as part of a domain upgrade.

So Nothing Broke?

No, the local cached copy of the profile is still named the same as the sAMAccountName;

Local Cached Policy Name

And the roaming profile and home drive also stayed the same;

Roaming Profile UPN Change

WARNING: Just so I don’t do the same thing Microsoft did and ‘Make an Assumption’. Where changing the User Logon Names would affect you is if users were already logging into their machines with their UPN, Then they would need to change their login names to the new UPN, (or use the pre-Windows 2000 login name). But I’ve never seen a user logon with a UPN, the only time I’ve ever logged onto something with a UPN, is when I can’t type a back slash to log on as DOMAIN\Username (I use a Mac). 

Remove Spaces From User Logon Names

Seriously who does this? I don’t even like spaces in folder names! Below is a PowerShell script that will search through AD and find users with a space in the middle of their logon name and replace the login name with firstname.lastname

Change the values in red.

Import-Module ActiveDirectory
Get-ADUser -Filter "UserPrincipalName -like '* *'" -SearchBase 'OU=Test,DC=pnl,DC=com' | ForEach { Set-ADUser -Identity $_.SamAccountName -UserPrincipalName "$($_.GivenName).$($_.Surname)@pnl.com" }

Note: If you have users with spaces in their GivenName or Surname attributes in AD this wont work, i.e if AD thinks a users first name is Juan Carlos, and the Surname is Rodriquez, then it would change the user logon name to ‘Juan Carlos.Rodriquez’ which is the very problem we are trying to fix! Also the first name and surname fields in AD have to have properties in them as well, or you will see red errors.

Change UPN Suffix For All Users Script

In the script below I’ve targeted a specific OU, but you can change the $ou parameter to point at the root of the domain, and do all users at once if you wish. Change the values in red to suit your domain.

Import-Module ActiveDirectory
$oldSuffix = "pnl.com"
$newSuffix = "petenetlive.com"
$ou = "OU=Test,DC=pnl,DC=com"
$server = "DC-01"
Get-ADUser -SearchBase $ou -filter * | ForEach-Object {
$newUpn = $_.UserPrincipalName.Replace($oldSuffix,$newSuffix)
$_ | Set-ADUser -server $server -UserPrincipalName $newUpn
}

Related Articles, References, Credits, or External Links

PowerShell – Update All Domain Users With Email Address From UPN

PowerShell – Updating Users Email Addresses In Active Directory

Author: PeteLong

Share This Post On

34 Comments

  1. Love you for this, thank you!!!!!!

    Post a Reply
  2. You have saved me a ton of work been stuck over this for the last week. Thanks a million

    Post a Reply
  3. If the user is using encryption software won’t it affect their access to files?

    Post a Reply
    • I cant see how? UPN is simply an attribute on a user object, its GUID remains the same, if you rename a user because she is married, her security identifier is the same, i.e. you don’t have to rejoin all the AD groups she is already a member of.

      Post a Reply
  4. Hi Peter. Please help me as I am getting error when I run the command

    You cannot call a method on a null-valued expression.
    At C:\Logging\OUs.ps1:7 char:1
    + $newUpn = $_.UserPrincipalName.Replace($oldSuffix,$newSuffix)
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull

    Post a Reply
    • Usually means either $oldSuffix and/or $newSuffix is empty, has an incorrect value, or does not exist.

      P

      Post a Reply
    • I had to alter the suffixes from “olddomain.com” to “@olddomain.com” and it worked.

      Post a Reply
  5. A clear answer. It’s like finding a glass of water in the desert!

    Thanks Peter!

    Post a Reply
  6. Hi Pete

    Long time reader new poster 🙂

    just followed your advice above but get a strange “Unexpected token ‘_’ in sexpression or statement at Line:1 Char:119

    For the life of my I cant see anything wrong. Any Advice would be great.

    thanks

    Andrew

    Post a Reply
    • Hi Andrew, have you got an underscore _ and not a dash – somewhere?

      P

      Post a Reply
  7. Perfect!!
    You just made my life way easier, thanks so much!

    Post a Reply
  8. Hi Peter,
    Thanks for this great post. A question for you regarding making the UPN and email address match… Does the UPN need to match the user’s PRIMARY smtp address or can it match any of their SMTP aliases? Our organization grew from firstname@domain.com to FirstNameLastNameInitial@domain.com to FirstNameInitialLastName@domain.com and now FirstName.LastName.domain.com. As you can imagine, things are ugly and as we attempt to get ready to move to Office 365 we are encountering numerous issues with this.

    Thank again

    Post a Reply
    • I feel your pain Aaron, the UPN does not need to match any SMTP address in all honesty. It just makes things simpler for you going forward, how many users do you have, are you confident they all will understand the difference between and email address and an UPN? If the answer is NO then, Tell them to log in with their email address, (and if that’s not the primary email address fine, as long as it matches the UPN (which is actually what they are logging in as) all will be well. Pain in the butt to support going forward though my friend?

      P

      Post a Reply
  9. First of all thank you for your excellent support Peter. We have changed to UPN name in a Multi tenant environment. Now we have one Ministry who’s username is in their Original domain, but the VDI’s are in another domain. They are connected as a half way trust. Now it happens that once in a while the user is not a member of their Original domain, like Original_domain\username, but they log in as vdi_domain\username. When they login again, they usually have their Original domain membership back. Do you have any idea why they sometimes get the domain membership of their vdi computer instead of the domain where the user account is a member of? Your help would be much appreciated.

    Post a Reply
    • The domain that they are ‘logging into is displayed on the login screen (the fact its a VDI is immaterial). This would only happen if the username existed in both domains?

      Post a Reply
  10. Great article. My situation is that I am trying to migrate email from a old SBS 2011 server to Office 365. The original installer setup a .local account for the domain (123.local) and their email is abc.com . I have added the .com account to AD. If I change the settings for the users accounts to abc.com, do I still logon to the workstation as 123\user? I really need to sync the AD so I can get the email migrated. I am trying to make the change without impacting the users profiles. Some have roaming profiles and so do not. I am ripping all of this out but trying to do it without too much interruption. Thanks again for the article. Hopefully my question isn’t as clear as mud.

    Post a Reply
    • You can log on as either (post change) Chris 🙂

      Post a Reply
      • Thanks. I am trying to get the email transferred and I do not want to do it via imap.

        Post a Reply
  11. Has anyone seen a situation where a small subset of users who have had their UPN changed, cause some of their Outlook settings to change like the option for emails automatically sending from the outbox (within 24 hours of the change)? We also saw that some of those emails that were in the outbox and were manually pushed out, don’t appear in the sent folder (except those that have a client side rule in the outlook client) and we have confirmed that all emails did go out to the appropriate recipients?

    Post a Reply
  12. Hi Pete,

    Thank you for the awesome documentation and explanation in the article. However, I have a question around the UPN. What if a user has a user cert issued to them based on their UPN ie: on the $oldSuffix ? this would mean when you change the UPN to $newSuffix this would break the cert ? Although I would say it may keep the cert valid provided that UPN suffix is still in the trust domain. but what if you remove the old suffix post adding the new suffix ? this can possibly break the users cert forcing the user to re-auth perhaps ?
    I am a rookie so I apologize if I sounded stupid above.

    Regards,
    Anoop

    Post a Reply
    • What a great question! Please don’t apologise, the only daft questions are the ones not asked 🙂 In all honesty I’m not sure. If you have user cert auto enrolment you could test it quite easily with a test user though?

      Post a Reply
  13. Hello Pete,

    I am also trying to migrate one of our client to O365, so I need to change their UPN in AD.

    After changing the UPN my client is facing AD account lockout issue as described here – https://community.spiceworks.com/topic/1881880-accounts-locking-after-upn-suffix-change?started_from=new_topic

    Switching the UPN back to original the AD lockout stops.
    I found a work around which I don’t want to follow because then users will have different Email address and Login UPN on O365 – https://community.spiceworks.com/topic/2199998-ad-account-lockouts-after-changing-upn-suffix

    Could you suggest something?

    Could you help?

    Post a Reply
  14. hello. i’m having an issue where if i configure services to use UPN logon style, when restarting the server the service has a logon failure EVENTID 7000. then if i go and start it manually it starts without issues. what am i missing?

    Post a Reply
  15. Hello, well written explanation, thanks. Is there a method to make AD utilize the new, alternate upn as the default for the userprincipalname when creating brand new users?

    Post a Reply
  16. Is there any possibility to check the result before applying the new UPN to AD users?

    Post a Reply
    • You can try the command with a -WhatIf, or it your ‘super paranoid’ clone a DC and try it in a sandbox

      Post a Reply
  17. We have two UPN suffixes on our domain. If we remove one of the two suffixes, will user accounts automatically switch to the default which I think should be the DNS name of the domain? Or will we have to run a script to switch each user account over?

    Post a Reply
    • If you remove a UPN the users don’t ‘inherit’ one – they simply won’t have one.

      Post a Reply
      • Per your article then (if I understood it correctly) a blank UPN field in ADUC has no effect on a users ability to login?

        Post a Reply
        • Not if they are logging in with their samacountname

          Post a Reply
  18. Domain users using SmartCard (PIV) authentification will have issues, as their UPN is passed in the certificate.
    “Simply” re-enrolling the certificate on the smartcard will provide a new certificate with updated UPN.
    My setup is based on the Yubico / Yubikey tutorials, and may differ based on your certificate templates.

    Post a Reply

Submit a Comment

Your email address will not be published. Required fields are marked *