I was doing some work for a School recently, their staff were already using Office 365 and their tenancy was all setup. Now they wanted to roll Office 365 out to the pupils, and sync to their on premises Active Directory.
Now we could have simply excluded the staff from the Azure AD Connect Sync, but they want to manage their passwords etc. on-premises. Microsoft will tell you if you DON’T have an on-premises Exchange (they didn’t), then you simply need to enter the correct email address on the user object and the correct accounts will match up and sync, however they did not, this happened instead;
Unable to update this object because the following attributes associated with this object have values that may already be associated with another object in your local directory services: [ProxyAddresses SMTP:username@domain-name.com;]. Correct or remove the duplicate values in your local directory. Please refer to http://support.microsoft.com/kb/2647098 for more information on identifying objects with duplicate attribute values.
OK, I’ve worked A LOT with Exchange and I know that ProxyAddress and Email address are related, but not the same AD attribute. But changing that didn’t fix the problem either?
Solution
Well we are syncing on-premises Active Directory and Azure Active Directory, and we DON’T want to change anything on site. So logically wherever the ‘fix’ is, it will be in Azure. (If you only ever use the Office 365 portal then buckle up)
Within Office 365 Admin > Admin Centers > Azure Active Directory.
Welcome to Azure! > Azure Active Directory > Azure AD Connect > Connect Health.
Sync errors.
Duplicate Attribute.
Select the affected user(s) > Troubleshoot.
Double check it is the same user! (If you get this wrong all manner of carnage will unfold!) Yes > Apply Fix > Confirm.
Now wait for a directory replication, (or force one manually with PowerShell). The errors should now cease.
Related Articles, References, Credits, or External Links
While doing a migration I needed to update all of a clients ‘Distribution’ groups with an additional mail domain. This is not normally a problem we can do that with an Email address policy, well yes you can if all the groups have ‘update email addresses based on policy’ ticked, (which is the default!) However this client had done everything manually. So that wasn’t an option.
Solution
Yes there’s only three below, but this client had over a hundred, and I wasn’t going to do them one by one. List all the Groups and their policy status by running the following command;
Changing a users UPN suffix is easy (as long as it’s been added – see below). There is some confusion about the User Login Name though.
A few weeks ago I had a client that needed this done, (for an office 365 migration). But they had the added problem that some of their User Logon Names had spaces in them, they were in first-name{space}last-name format.
What would happen if I changed their user logon names? Would they have to use a different logon name? Would their profile break? Or worse still, would they all lose their roaming profiles?
Solution
Adding A New UPN Suffix
Before you can add a new UPN suffix you need to make it available in the domain. Administrative Tools > Active Directory Domains and Trusts > Right Click ‘Active Directory Domains and Trusts’ > Properties > Add the new Suffix >Apply > OK.
From this point forward you can add that as a new suffix for any/all users.
The Effect of Changing a User Logon Name
Using the same user as above, I’ve changed the ‘User Logon Name’, and added the new UPN Suffix to test.
How Does Changing a User Logon Name Affect Profile and Home Drive Paths?
Put simply it does not! To prove it I did some testing. The profile and home drive path of this user’s is set on the ‘profile’ tab of their user object.
It remains the same after the User Logon Name changes. When these users were setup the profile paths and home drive paths were all set ‘on mass’, by selecting multiple users and setting the path to \\server-name\folder-name\%username% and it fills in all the ‘usernames‘ with the sAMAccountName and that has not changed.
Does the User Have to Change their Logon Name?
Confusingly users don’t log on with their User Logon Name (Usually, but they can if they wanted to) from all the way back to NT4 we have logged on with the DOMAIN-NAME\USER-NAME format which uses the sAMAccountName, NOT the User Logon Name. If you look at the very first picture at the top of the page you can see that below the UPN. Its called the User name (pre-Windows 2000). You may not of even have noticed, but on Windows 10 they put this right in your face on the logon screen.
Whats the Point of a UPN Then?
You can actually authenticate, and log on with your UPN, (see below)
This logs on as the user in the example above with the correct profile, and group membership etc. Though it’s not common practice to logon with a UPN. Microsoft Now Have a Very BAD HABIT of telling users, (and putting in their documentation), to ‘Log on with your Email Address‘ This is wrong, you actually are logging on with your UPN, Microsoft are making the assumption, that your Email and UPN are the same. This is why blogs and forums are full of scripts to change your UPN so that it matches your email address. They assume, (usually quite rightly, that if you tell users to log on with their UPN they will be confused and not know what that is). So rather than address this problem, they tell users to log on with their Email addresses. That’s the real reason we are talking about changing UPN’s, and probably why your here in the first place.
Some Users Don’t Have UPN’s?
This is normal, don’t panic, a user does not have to have a UPN, if you are seeing blank entries that user was probably migrated via a script or tool into your AD, or simply was migrated from an older version of AD as part of a domain upgrade.
So Nothing Broke?
No, the local cached copy of the profile is still named the same as the sAMAccountName;
And the roaming profile and home drive also stayed the same;
WARNING: Just so I don’t do the same thing Microsoft did and ‘Make an Assumption’. Where changing the User Logon Names would affect you is if users were already logging into their machines with their UPN, Then they would need to change their login names to the new UPN, (or use the pre-Windows 2000 login name). But I’ve never seen a user logon with a UPN, the only time I’ve ever logged onto something with a UPN, is when I can’t type a back slash to log on as DOMAIN\Username (I use a Mac).
Remove Spaces From User Logon Names
Seriously who does this? I don’t even like spaces in folder names! Below is a PowerShell script that will search through AD and find users with a space in the middle of their logon name and replace the login name with firstname.lastname
Note: If you have users with spaces in their GivenName or Surname attributes in AD this wont work, i.e if AD thinks a users first name is Juan Carlos, and the Surname is Rodriquez, then it would change the user logon name to ‘Juan Carlos.Rodriquez’ which is the very problem we are trying to fix! Also the first name and surname fields in AD have to have properties in them as well, or you will see red errors.
Change UPN Suffix For All Users Script
In the script below I’ve targeted a specific OU, but you can change the $ou parameter to point at the root of the domain, and do all users at once if you wish. Change the values in red to suit your domain.
This was asked on Experts Exchange this morning, and so I thought I’d get it documented. There are loads of reasons why you might want to change a username, display name, and email address. It can be spelt wrong, a user has got married/divorced and changed their surname, or they have simply changed their name.
There are also some clients who don’t create a new user when a member of staff leaves. They just want to rename the old user and change the email address. The advantage of this approach is that all the group membership, and permissions will be correct for the replacement member of staff.
Solution
Step 1 Change the Username, Logon Name and Display Name.
1. On the Exchange server > Start > Run > dsa.msc {enter} > Locate the user in question > Right click and rename.
Note: You can do this on any Domain Controller but for Step 2 we will need to be on an Exchange server, or a machine with the Exchange Management tools installed.
2. As soon as you press {enter} > The rename user dialog will open, and you can change the display name, and the user logon name > OK.
Step 2 – Exchange 2000 / 2003 (Including SBS 2000 / 2003) Change the Email address.
Note: For newer versions of Exchange see below.
1. Whilst still in active Directory Users and Computers > Right click the affected user > Properties.
4. Untick the “Automatically update email…” option > Select the NEW email address >Set As Primary > Apply > OK.
Note: It can take a while for your global address list to update, then your Outlook clients need to get the updated list, sometimes this can take a couple of days! Be patient, the changes have been made.
Step 2 – Exchange 2007 / 2010 (Including SBS 2008 / 2011) Change the Email address.
1. On your Exchange 2007/2010 Server Launch the Exchange Management Console > Recipient Configuration > Mailbox > Locate the user > Properties.
2. E-mail Addresses tab > Add > Type in the new address > OK.
3. Untick the “Automatically update email…” option > Select the NEW email address > Set As Primary > Apply > OK.
Note: It can take a while for your global address list to update, then your Outlook clients need to get the updated list, sometimes this can take a couple of days! Be patient, the changes have been made.
Related Articles, References, Credits, or External Links