The UPN (User Principal Name) is an Internet-style login name for the user based on the Internet standard RFC 822.
The UPN (User Principal Name) is an Internet-style login name for the user based on the Internet standard RFC 822. The UPN is shorter than the distinguished name and easier to remember. By convention, this should map to the user's email name. The point of the UPN is to consolidate the email and logon namespaces so that the user need only remember a single name.
The UPN is the preferred logon name for Windows 2000 users. Users should be using their UPNs to log on to the domain. At logon time, a UPN is validated first by searching the local domain, then the global catalog. Failure to find the UPN in the local domain or the GC results in rejection of the UPN.
The UPN can be assigned, but is not required, when the user account is created. When assigned, the UPN is unaffected by changes to other attributes of the user object, for example, if the user is renamed or moved, or changes to the domains in the tree, for example, if a parent domain was renamed or a domain was moved. Thus, a user can keep the same login name, although the directory may be radically restructured. Be aware that the UPN can be changed administratively at any time. The UPN is a string attribute that can contain any string value. However, the following scheme is recommended.
The user principal name has two parts: the UPN prefix (the user account name) and the UPN suffix (a DNS domain name). The parts are joined together by the at sign (@) symbol to make the complete UPN. For example, the user Someone who has an account in the Example domain would have a UPN of "someone@example.com".
The UPN must be unique among all security principal objects within the directory forest. By default (that is, for the built-in user accounts and user accounts created using the Active Directory Users and Computers snap-in), the UPN can consist of any name for the user (such as the sAMAccountName attribute of the user) and the domain tree name to which the user belongs in the following form: @.
The "" is the domain name system (DNS) name of a domain, but is not required to be the name of the domain containing the user. However, the "" portion of the UPN must be the name of a domain in the current forest or an alternate name listed in the upnSuffixes attribute of the Partitions container within the Configuration container. You can add or remove UPN suffixes by modifying the upnSuffixes attribute (or by choosing Properties for the root node of the Active Directory Domains and Trusts and modifying the UPN suffixes on the UPN Suffixes tab). Usually, the "" is the name of the first domain in the first tree of the forest. In most cases, this domain name is the domain name registered as the enterprise domain on the Internet. The "" is formatted by binding to the rootDSE on any domain in the forest, reading the RootDomainNamingContext attribute, and then transforming this from DC format (dc=fabrikam,dc=com) to the UPN format (fabrikam.com) using the ADSI IADsNameTranslate interface.
When creating a new user object, you should check the local domain and the global catalog for the proposed name to ensure it does not already exist.
