For a variety of reasons a significant number of our Windows PCs are not joined to our Windows 2012 R2 Active Directory domain. We are in the process of rectifying this, and are joining PCs on a per-office basis.
A number of our staff now have Windows 8.1 PCs and when they were purchased, they dutifully followed Microsoft's insistence to create a Microsoft Live account that is associated with the PC. Usernames are in the form of a UPN, which for the purposes of this question I shall treat as being Microsoft's demonstration domain, so [email protected]. These PCs have been configured by our remote staff in good faith; it's only now that I'm in a position to bring them on to our domain.
Unsurprisingly, the UPN that our staff choose coincides with the real one that we give them for our domain, so users log on to the PC using their email address (UPN) and then log on to central services also using the same account name. (This is not SSO because there is no trust relationship between Microsoft Live and our domain.)
I can join the PCs to the CONTOSO domain easily enough, and everywhere else the UPN works. I've also got a GPO ready to roll that will persuade these Windows PCs to default an unqualified username to sign on to our domain rather than to Microsoft Live. However, it seems that the way Windows 8.1 differentiates between a true local account, a Microsoft Live linked account and domain account is that the local account uses an unqualified name, the Live account uses a UPN, and the domain account is pushed backwards into using DOMAIN\Username style. We moved away from the CONTOSO\Username form a year or so ago as part of our parallel migration of email services to Office 365, and I'd prefer to continue having users sign in everywhere with a UPN.
I know I can migrate a user's local profile to a domain profile using something like the Forensit user profile migration wizard, so that deals with the data.
However, is there any sane way of migrating the UPN form of login on these PCs away from Microsoft Live and to our domain? I really don't want to have some people able to log in with a UPN but others having to remember to use the old DOMAIN\Username format.
It turns out that the solution is simple - in principle if not in practice.
The process cannot be actioned via Powershell or a GPO. It requires that the user in question logs in to the PC with their Microsoft Live account (i.e. UPN style login, such as [email protected]).
Once this disconnection has been achieved and the PC restarted, the UPN style login is associated with the domain once more.