December 6th, 2004

How Can I Assign a New UPN to All My Users?

Hey, Scripting Guy! Question

Hey, Scripting Guy! How can I assign a new UPN to all my users?

— CH

SpacerHey, Scripting Guy! AnswerScript Center

Hey, CH. The UPN (or User Principal Name) provides an alternate way of logging on to a domain. Typically you log onto a domain by pressing Ctrl-Alt-Delete, typing in your user name, domain name, and password, and then pressing ENTER. With a UPN, you don’t enter separate user and names, instead you enter a user name similar to this:

kenmyer@fabrikam.com

We won’t bother discussing the concepts behind the UPN other than note that, among other things, it lets you log on to a computer even if your domain name doesn’t appear in the Log on to dropdown list.

So how can you change the UPN for all the users in a domain? Well, it’s a two-part process: first you need to get a list of all the users in the domain, and then you need to change the UPN for each one. Let’s start with the first step, just for the heck of it.

By far the best way to get a list of all the users in a domain is to do an Active Directory search. We’ve discussed the process behind searching Active Directory in the past, so we’ll just give you a sample script for now; if you’d like more information on searching Active Directory, you might want to take a look at the Scripting Guys’ Webcast. For now, here’s a script that returns the ADsPath for all the users in the fabrikam.com domain:

On Error Resume Next

Const ADS_SCOPE_SUBTREE = 2

Set objConnection = CreateObject(“ADODB.Connection”) Set objCommand = CreateObject(“ADODB.Command”) objConnection.Provider = “ADsDSOObject” objConnection.Open “Active Directory Provider” Set objCommand.ActiveConnection = objConnection

objCommand.Properties(“Page Size”) = 1000 objCommand.Properties(“Searchscope”) = ADS_SCOPE_SUBTREE

objCommand.CommandText = _ “SELECT AdsPath FROM ‘LDAP://dc=fabrikam,dc=com’ WHERE objectCategory=’user'” Set objRecordSet = objCommand.Execute

objRecordSet.MoveFirst Do Until objRecordSet.EOF Wscript.Echo objRecordSet.Fields(“ADsPath”).Value objRecordSet.MoveNext Loop

The ADsPath, of course, provides the path to the user account in Active Directory; for example, the ADsPath for user Ken Myer might look like this:

LDAP://CN=Ken Myer,OU=Finance,DC=fabrikam,DC=com

We’re retrieving the ADsPath because we need to bind to each individual user account in order to change the UPN for that account; AdsPath provides a direct route to the account, and – as well sees – enables us to bind to an account using a single line of code, and without any fancy string manipulation of any kind.

So what happens after we bind to a user account? Well, we need to do two things at that point: we need to assign the user a new UPN, and then we need to call the SetInfo method, which actually writes the new UPN to the Active Directory user account. In pseudo-code, the process looks like this:

objUser.userPrincipalName = New UPN we’re assigning the user
objUser.SetInfo

In real code, the process of retrieving all the user accounts in Active Directory, binding to each one individually, and then assigning each account a new UPN looks like this:

On Error Resume Next

Const ADS_SCOPE_SUBTREE = 2

Set objConnection = CreateObject(“ADODB.Connection”) Set objCommand = CreateObject(“ADODB.Command”) objConnection.Provider = “ADsDSOObject” objConnection.Open “Active Directory Provider” Set objCommand.ActiveConnection = objConnection

objCommand.Properties(“Page Size”) = 1000 objCommand.Properties(“Searchscope”) = ADS_SCOPE_SUBTREE

objCommand.CommandText = _ “SELECT AdsPath,samAccountName,userPrincipalName FROM ” & _ “‘LDAP://dc=fabrikam,dc=com’ WHERE objectCategory=’user'” Set objRecordSet = objCommand.Execute

objRecordSet.MoveFirst Do Until objRecordSet.EOF strUser = objRecordSet.Fields(“ADsPath”).Value strNewUPN = objRecordSet.Fields(“samAccountName”).Value & “@” & “contoso.com” Set objUser = GetObject(strUser) objUser.userPrincipalName = strNewUPN objUser.SetInfo objRecordSet.MoveNext Loop

After we retrieve the collection of user accounts, all the excitement takes place inside the Do Until loop. Inside that loop, we begin by assigning the ADsPath for user 1 to the variable strUser. Next, we construct a new UPN for the user. Typically, UPNs are composed of the user’s logon name (samAccountName) followed by the domain name. Because CH’s question was about changing existing UPNs, we’ll do something a little different here. We’ll pretend that your company has merged with another organization, and now you want users to use the new name (contoso.com) in their UPN. For example:

kenmyer@contoso.com

Therefore, we’re going to construct a new UPN that consists of the samAccountName, the @ sign, and contoso.com, and then stash that new UPN in a variable named strNewUPN. That’s what this line of code does:

strNewUPN = objRecordSet.Fields(“samAccountName”).Value & “@” & “contoso.com”

So far so good. Next, we bind to the individual user account and assign the new UPN to the user. All of that gets accomplished with just two lines of code:

Set objUser =  GetObject(strUser)
objUser.userPrincipalName = strNewUPN

We call SetInfo, and just like that our first user has a new UPN. We then loop around and assign a new UPN to the next user in the collection. This process continues automatically until all of our users have a brand-new UPN.

We don’t know how often you’ll need to change the UPN for all the users in a domain, but the basic idea behind this script can be used for lots of other purposes as well. For example, you might want to change the company name for all your users, or you might want to require all your users to change their password the next time they log on. The script we’ve shown you today can easily be modified to carry out any kind of task that involves modifying all the user accounts in a domain.

Author

0 comments

Discussion are closed.

Feedback