userPrincipalName#
The Microsoft Active Directory attribute that you typically see expressed as an email address:jwilleke@example.com
In the MMC Account Tab, this is labeled as the "User Logon Name".
The value can be used as an alternate login name within Microsoft Active Directory.
The userPrincipalName is defined in MSDN
Interesting Aspects#
- UserPrincipalName is a SINGLE-VALUE and indexed attribute that is a string that specifies the user principal name UPN of the user.
- UserPrincipalName is an Internet-style login name for the user based on the Internet standard RFC 822.
- UserPrincipalName is shorter than the distinguished name and easier to remember. By convention, this should map to the user's email name. The point of the UPN is to consolidate the email and logon namespaces so that the user need only remember a single name.
- UserPrincipalName is the preferred logon name for Windows users. Users should be using their UPNs to log on to the domain. At logon time, a UPN is validated first by searching the local domain, then the global catalog. Failure to find the UPN in the local domain or the GC results in rejection of the UPN.
- UserPrincipalName can be assigned, but is not required, when the user account is created. When assigned, the UPN is unaffected by changes to other attributes of the user object, for example, if the user is renamed or moved, or changes to the domains in the tree, for example, if a parent domain was renamed or a domain was moved. Thus, a user can keep the same login name, although the directory may be radically restructured. Be aware that the UPN can be changed administratively at any time.
- UserPrincipalName is a string attribute that can contain any string value. However, the following scheme is recommended:
- UserPrincipalName prefix (the user account name)
- UserPrincipalName suffix (a DNS domain name).
- UserPrincipalName must be unique among all Security Principal Objects within the directory forest.
- UserPrincipalName can consist of any name for the user (such as the sAMAccountName attribute of the user) and the domain tree name to which the user belongs in the following form: <name>@<tree name> (By default for the built-in user accounts and user accounts created using the Active Directory Users and Computers snap-in)
- When creating a new user object, you should check the local domain and the global catalog for the proposed name to ensure it does not already exist.!! Attribute Definition
- OID of 1.2.840.113556.1.4.656
- NAME: UserPrincipalName
- DESC:
- EQUALITY:
- ORDERING:
- SYNTAX: 1.3.6.1.4.1.1466.115.121.1.15
- SINGLE-VALUE
- USAGE UserApplications !! UserPrincipalName Format
The "<tree name>" is the domain name system (DNS) name of a domain, but is not required to be the name of the domain containing the user.
However, the "<tree name>" portion of the UserPrincipalName must be the name of a domain in the current forest or an alternate name listed in the upnSuffixes attribute of the Partitions container within the Configuration container. You can add or remove UserPrincipalName suffixes by modifying the upnSuffixes attribute (or by choosing Properties for the root node of the Active Directory Domains and Trusts and modifying the UserPrincipalName suffixes on the UserPrincipalName Suffixes tab).
Usually, the "<tree name>" is the name of the first domain in the first tree of the forest. In most cases, this domain name is the domain name registered as the enterprise domain on the Internet. The "<tree name>" is formatted by binding to the RootDSE on any domain in the forest, reading the RootDomainNamingContext attribute, and then transforming this from DC format (dc=fabrikam,dc=com) to the UserPrincipalName format (fabrikam.com) using the ADSI IADsNameTranslate interface.