KB ID 0001238
Problem
Changing a users UPN suffix is easy (as long as it’s been added – see below). There is some confusion about the User Login Name though.
A few weeks ago I had a client that needed this done, (for an office 365 migration). But they had the added problem that some of their User Logon Names had spaces in them, they were in first-name{space}last-name format.
What would happen if I changed their user logon names? Would they have to use a different logon name? Would their profile break? Or worse still, would they all lose their roaming profiles?
Solution
Adding A New UPN Suffix
Before you can add a new UPN suffix you need to make it available in the domain. Administrative Tools > Active Directory Domains and Trusts > Right Click ‘Active Directory Domains and Trusts’ > Properties > Add the new Suffix >Apply > OK.
From this point forward you can add that as a new suffix for any/all users.
The Effect of Changing a User Logon Name
Using the same user as above, I’ve changed the ‘User Logon Name’, and added the new UPN Suffix to test.
How Does Changing a User Logon Name Affect Profile and Home Drive Paths?
Put simply it does not! To prove it I did some testing. The profile and home drive path of this user’s is set on the ‘profile’ tab of their user object.
It remains the same after the User Logon Name changes. When these users were setup the profile paths and home drive paths were all set ‘on mass’, by selecting multiple users and setting the path to \\server-name\folder-name\%username% and it fills in all the ‘usernames‘ with the sAMAccountName and that has not changed.
Does the User Have to Change their Logon Name?
Confusingly users don’t log on with their User Logon Name (Usually, but they can if they wanted to) from all the way back to NT4 we have logged on with the DOMAIN-NAME\USER-NAME format which uses the sAMAccountName, NOT the User Logon Name. If you look at the very first picture at the top of the page you can see that below the UPN. Its called the User name (pre-Windows 2000). You may not of even have noticed, but on Windows 10 they put this right in your face on the logon screen.
Whats the Point of a UPN Then?
You can actually authenticate, and log on with your UPN, (see below)
This logs on as the user in the example above with the correct profile, and group membership etc. Though it’s not common practice to logon with a UPN. Microsoft Now Have a Very BAD HABIT of telling users, (and putting in their documentation), to ‘Log on with your Email Address‘ This is wrong, you actually are logging on with your UPN, Microsoft are making the assumption, that your Email and UPN are the same. This is why blogs and forums are full of scripts to change your UPN so that it matches your email address. They assume, (usually quite rightly, that if you tell users to log on with their UPN they will be confused and not know what that is). So rather than address this problem, they tell users to log on with their Email addresses. That’s the real reason we are talking about changing UPN’s, and probably why your here in the first place.
Some Users Don’t Have UPN’s?
This is normal, don’t panic, a user does not have to have a UPN, if you are seeing blank entries that user was probably migrated via a script or tool into your AD, or simply was migrated from an older version of AD as part of a domain upgrade.
So Nothing Broke?
No, the local cached copy of the profile is still named the same as the sAMAccountName;
And the roaming profile and home drive also stayed the same;
WARNING: Just so I don’t do the same thing Microsoft did and ‘Make an Assumption’. Where changing the User Logon Names would affect you is if users were already logging into their machines with their UPN, Then they would need to change their login names to the new UPN, (or use the pre-Windows 2000 login name). But I’ve never seen a user logon with a UPN, the only time I’ve ever logged onto something with a UPN, is when I can’t type a back slash to log on as DOMAIN\Username (I use a Mac).
Remove Spaces From User Logon Names
Seriously who does this? I don’t even like spaces in folder names! Below is a PowerShell script that will search through AD and find users with a space in the middle of their logon name and replace the login name with firstname.lastname
Change the values in red.
Import-Module ActiveDirectory Get-ADUser -Filter "UserPrincipalName -like '* *'" -SearchBase 'OU=Test,DC=pnl,DC=com' | ForEach { Set-ADUser -Identity $_.SamAccountName -UserPrincipalName "$($_.GivenName).$($_.Surname)@pnl.com" }
Note: If you have users with spaces in their GivenName or Surname attributes in AD this wont work, i.e if AD thinks a users first name is Juan Carlos, and the Surname is Rodriquez, then it would change the user logon name to ‘Juan Carlos.Rodriquez’ which is the very problem we are trying to fix! Also the first name and surname fields in AD have to have properties in them as well, or you will see red errors.
Change UPN Suffix For All Users Script
In the script below I’ve targeted a specific OU, but you can change the $ou parameter to point at the root of the domain, and do all users at once if you wish. Change the values in red to suit your domain.
Import-Module ActiveDirectory $oldSuffix = "pnl.com" $newSuffix = "petenetlive.com" $ou = "OU=Test,DC=pnl,DC=com" $server = "DC-01" Get-ADUser -SearchBase $ou -filter * | ForEach-Object { $newUpn = $_.UserPrincipalName.Replace($oldSuffix,$newSuffix) $_ | Set-ADUser -server $server -UserPrincipalName $newUpn }
Related Articles, References, Credits, or External Links
PowerShell – Update All Domain Users With Email Address From UPN
PowerShell – Updating Users Email Addresses In Active Directory
15/12/2017
Love you for this, thank you!!!!!!
19/12/2017
You’re Welcome.
P
30/05/2018
You have saved me a ton of work been stuck over this for the last week. Thanks a million
30/05/2018
Glad to help 🙂
16/11/2018
If the user is using encryption software won’t it affect their access to files?
16/11/2018
I cant see how? UPN is simply an attribute on a user object, its GUID remains the same, if you rename a user because she is married, her security identifier is the same, i.e. you don’t have to rejoin all the AD groups she is already a member of.
23/11/2018
Hi Peter. Please help me as I am getting error when I run the command
You cannot call a method on a null-valued expression.
At C:\Logging\OUs.ps1:7 char:1
+ $newUpn = $_.UserPrincipalName.Replace($oldSuffix,$newSuffix)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull
23/11/2018
Usually means either $oldSuffix and/or $newSuffix is empty, has an incorrect value, or does not exist.
P
26/08/2020
I had to alter the suffixes from “olddomain.com” to “@olddomain.com” and it worked.
01/01/2019
I heart you..???
02/06/2019
A clear answer. It’s like finding a glass of water in the desert!
Thanks Peter!
13/11/2019
Hi Pete
Long time reader new poster 🙂
just followed your advice above but get a strange “Unexpected token ‘_’ in sexpression or statement at Line:1 Char:119
For the life of my I cant see anything wrong. Any Advice would be great.
thanks
Andrew
14/11/2019
Hi Andrew, have you got an underscore _ and not a dash – somewhere?
P
17/12/2019
Perfect!!
You just made my life way easier, thanks so much!
02/04/2020
Hi Peter,
Thanks for this great post. A question for you regarding making the UPN and email address match… Does the UPN need to match the user’s PRIMARY smtp address or can it match any of their SMTP aliases? Our organization grew from firstname@domain.com to FirstNameLastNameInitial@domain.com to FirstNameInitialLastName@domain.com and now FirstName.LastName.domain.com. As you can imagine, things are ugly and as we attempt to get ready to move to Office 365 we are encountering numerous issues with this.
Thank again
07/04/2020
I feel your pain Aaron, the UPN does not need to match any SMTP address in all honesty. It just makes things simpler for you going forward, how many users do you have, are you confident they all will understand the difference between and email address and an UPN? If the answer is NO then, Tell them to log in with their email address, (and if that’s not the primary email address fine, as long as it matches the UPN (which is actually what they are logging in as) all will be well. Pain in the butt to support going forward though my friend?
P
06/05/2020
First of all thank you for your excellent support Peter. We have changed to UPN name in a Multi tenant environment. Now we have one Ministry who’s username is in their Original domain, but the VDI’s are in another domain. They are connected as a half way trust. Now it happens that once in a while the user is not a member of their Original domain, like Original_domain\username, but they log in as vdi_domain\username. When they login again, they usually have their Original domain membership back. Do you have any idea why they sometimes get the domain membership of their vdi computer instead of the domain where the user account is a member of? Your help would be much appreciated.
06/05/2020
The domain that they are ‘logging into is displayed on the login screen (the fact its a VDI is immaterial). This would only happen if the username existed in both domains?
10/06/2020
Great article. My situation is that I am trying to migrate email from a old SBS 2011 server to Office 365. The original installer setup a .local account for the domain (123.local) and their email is abc.com . I have added the .com account to AD. If I change the settings for the users accounts to abc.com, do I still logon to the workstation as 123\user? I really need to sync the AD so I can get the email migrated. I am trying to make the change without impacting the users profiles. Some have roaming profiles and so do not. I am ripping all of this out but trying to do it without too much interruption. Thanks again for the article. Hopefully my question isn’t as clear as mud.
12/06/2020
You can log on as either (post change) Chris 🙂
15/06/2020
Thanks. I am trying to get the email transferred and I do not want to do it via imap.
07/07/2020
Has anyone seen a situation where a small subset of users who have had their UPN changed, cause some of their Outlook settings to change like the option for emails automatically sending from the outbox (within 24 hours of the change)? We also saw that some of those emails that were in the outbox and were manually pushed out, don’t appear in the sent folder (except those that have a client side rule in the outlook client) and we have confirmed that all emails did go out to the appropriate recipients?
21/07/2020
Hi Pete,
Thank you for the awesome documentation and explanation in the article. However, I have a question around the UPN. What if a user has a user cert issued to them based on their UPN ie: on the $oldSuffix ? this would mean when you change the UPN to $newSuffix this would break the cert ? Although I would say it may keep the cert valid provided that UPN suffix is still in the trust domain. but what if you remove the old suffix post adding the new suffix ? this can possibly break the users cert forcing the user to re-auth perhaps ?
I am a rookie so I apologize if I sounded stupid above.
Regards,
Anoop
21/07/2020
What a great question! Please don’t apologise, the only daft questions are the ones not asked 🙂 In all honesty I’m not sure. If you have user cert auto enrolment you could test it quite easily with a test user though?
15/08/2020
Hello Pete,
I am also trying to migrate one of our client to O365, so I need to change their UPN in AD.
After changing the UPN my client is facing AD account lockout issue as described here – https://community.spiceworks.com/topic/1881880-accounts-locking-after-upn-suffix-change?started_from=new_topic
Switching the UPN back to original the AD lockout stops.
I found a work around which I don’t want to follow because then users will have different Email address and Login UPN on O365 – https://community.spiceworks.com/topic/2199998-ad-account-lockouts-after-changing-upn-suffix
Could you suggest something?
Could you help?
05/11/2020
hello. i’m having an issue where if i configure services to use UPN logon style, when restarting the server the service has a logon failure EVENTID 7000. then if i go and start it manually it starts without issues. what am i missing?
26/04/2021
Hello, well written explanation, thanks. Is there a method to make AD utilize the new, alternate upn as the default for the userprincipalname when creating brand new users?
12/11/2022
Is there any possibility to check the result before applying the new UPN to AD users?
22/11/2022
You can try the command with a -WhatIf, or it your ‘super paranoid’ clone a DC and try it in a sandbox
22/11/2022
We have two UPN suffixes on our domain. If we remove one of the two suffixes, will user accounts automatically switch to the default which I think should be the DNS name of the domain? Or will we have to run a script to switch each user account over?
22/11/2022
If you remove a UPN the users don’t ‘inherit’ one – they simply won’t have one.
22/11/2022
Per your article then (if I understood it correctly) a blank UPN field in ADUC has no effect on a users ability to login?
24/11/2022
Not if they are logging in with their samacountname
02/02/2023
Domain users using SmartCard (PIV) authentification will have issues, as their UPN is passed in the certificate.
“Simply” re-enrolling the certificate on the smartcard will provide a new certificate with updated UPN.
My setup is based on the Yubico / Yubikey tutorials, and may differ based on your certificate templates.