Set Default UPN Suffix for Creating New Users in Active Directory

This can't be done as far as I know (Evan's answer is still true 4 years later).

That said, I've written a script that runs in task scheduler every few hours at more than one client. It searches for a specific suffix (the default in most cases) and switches it to another. The script is on my blog but I'll post it here as well :)

Import-Module ActiveDirectory


Get-ADUser -Filter {UserPrincipalName -like "*@ad.example.com"} -SearchBase "OU=SomeUserOu,DC=ad,DC=example,DC=com" |
ForEach-Object {
    $UPN = $_.UserPrincipalName.Replace("ad.example.com","example.com")
    Set-ADUser $_ -UserPrincipalName $UPN
}

In this case, users created with an ad.example.com UPN suffix will be updated with example.com suffix.

There is no documented mechanism that I am aware of to change the default UPN suffix that gets chosen by Active Directory Users and Computers. I believe that the tool is hard-wired to take the first portion of the "canonicalName" attribute defined on the "crossRef" object for the domain specified in "CN=Partitions,CN=Configuration, ..." in your forest.

AD Users and Computers just happens to be hard-wired to do this. If you create user accounts using other means ("NET USER ... /add", for example) then no userPrincipalName attribute will be assigned to the account. The default UPN suffix is really just a default in AD Users and Computers, not a default of the directory service itself.

Should you run into the Microsoft KB article with a script in it that shows you how to programmatically obtain the default UPN suffix (http://support.microsoft.com/default.aspx?scid=kb;en-us;Q269441), beware that the script has a couple of syntax errors in it (lines 17 and 32 are malformed and srrNamingContext on line 32 should be strNamingContext). I'll include a fixed version with a minor improvement at the end of this post (it shows you the names of individual OUs where additional UPN suffixes might be defined).

I'd love to be corrected by somebody more "in the know" than me, but I'm not seeing any way to get AD Users and Computers to act differently.

' --- Get the naming contexts ----
Set RootDSE = GetObject("LDAP://RootDSE")
strNamingContext = RootDSE.Get("defaultNamingContext")
strConfigContext = RootDSE.Get("configurationNamingContext")

' -- Get the current domain name --
Set oDomain = GetObject("LDAP://" + strNamingContext)
strDomainName = oDomain.Get("name")

Set oPartition = GetObject("LDAP://CN=Partitions," & strConfigContext)

'-- Get the DNS name of the domain --
oDomain.GetInfoEx Array("canonicalName"), 0
strCanonical = oDomain.Get("canonicalName")
strDNSName = Left(strCanonical, Len(strCanonical) - 1) 'clip off "/"

'-- Display the default UPN suffix
wscript.echo strDNSName

'-- Get the defined upnSuffixes --
suffixes = oPartition.GetEx("UPNSuffixes")
For Each upnSuffix In suffixes
  wscript.echo upnSuffix
Next
Set RootDSE = Nothing
Set oDomain =Nothing
Set oPartition = Nothing

' -- Get the upnsuffixes defined on organizational units --
Set ADOconn = CreateObject("ADODB.Connection")
Set ADOcom = CreateObject("ADODB.Command")

ADOconn.Provider = "ADsDSOObject"
bstrADOQueryString = "<LDAP://" + strNamingContext + ">;(objectcategory=organizationalUnit);upnsuffixes,ADsPath;subtree"
wscript.echo bstrADOQueryString 
ADOconn.Open
ADOcom.ActiveConnection = ADOconn

ADOcom.CommandText = bstrADOQueryString
ADOcom.Properties("Page Size") = 99

Set objRS = ADOcom.Execute

While Not objRS.EOF
   If Not IsNull(objRS.Fields("upnSuffixes")) Then
    upnsuffixes = objRS.Fields("upnSuffixes")
    For Each upnsuffix In upnsuffixes
        wscript.echo objRS.Fields("adsPath") & " - Suffix: " & upnsuffix
    Next
   End If

   objRS.MoveNext
Wend

Set objRS = Nothing
Set ADOcom = Nothing
Set ADOconn = Nothing

You can set the allowed UPN Suffixes, by going into ADSIEDIT.MSC, plug down to the OU Structure, right click the OU (in the default configuration), and edit the OU Attributes. The OU Attribute to edit is UPNSuffixes. This does not affect however, the default UPN assigned to a user created within that OU. Add the desired UPN Suffix to this list. Next, create a template user to Copy. Right click the OU, create a new user to use as a template, assign the correct UPN Suffix, and then right click the user once created and disable account. To create a new user, right click the template user and copy .. fill out the selected fields, and the new user will be created with the proper UPN. Create multiple template users for the different UPNS. Or, if in doubt, switch to powershell.

Actually, you can run in the Active Directory Module for Powershell: Set-ADOrganizationalUnit "OU=XXX,DC=Domain,DC=com" -Add @{upnsuffixes="@UPNSuffix.com".

Or you could use a "Get-adorganizationalUnit" with a -Filter switch and pipe that to a 'Set-ADOrganizationalUnit -Add @{upnsuffixes="@UPNSuffix.com"'

I found this after looking for quite a while, so I hope this helps anyone.

This technet article describes how to add or remove UPN suffixes in your domain:

http://technet.microsoft.com/en-us/library/cc756018(WS.10).aspx

There's also a discussion of it here:

http://technet.microsoft.com/en-us/library/cc739093(WS.10).aspx

I can't vouch for it personally as I've never had to do this, but one thing does spring to mind. If you're going to do this you'll need to bear in mind that while AD will work correctly, the same might not be the case for any 3rd party software you have, which may assume that the UPN suffix is always the standard one. Consider the consequences carefully before making the change, in other words.