{"id":70873,"date":"2004-12-06T16:40:00","date_gmt":"2004-12-06T16:40:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2004\/12\/06\/how-can-i-assign-a-new-upn-to-all-my-users\/"},"modified":"2004-12-06T16:40:00","modified_gmt":"2004-12-06T16:40:00","slug":"how-can-i-assign-a-new-upn-to-all-my-users","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/how-can-i-assign-a-new-upn-to-all-my-users\/","title":{"rendered":"How Can I Assign a New UPN to All My Users?"},"content":{"rendered":"

\"Hey, \n

Hey, Scripting Guy! How can I assign a new UPN to all my users?

— CH<\/P>\"Spacer\"\"Hey,\"Script<\/A> \n

Hey, CH. The UPN (or User Principal Name) provides an alternate way of logging on to a domain. Typically you log onto a domain by pressing Ctrl-Alt-Delete, typing in your user name, domain name, and password, and then pressing ENTER. With a UPN, you don\u2019t enter separate user and names, instead you enter a user name similar to this:<\/P>

kenmyer@fabrikam.com\n<\/PRE>\n
We won\u2019t bother discussing the concepts behind the UPN other than note that, among other things, it lets you log on to a computer even if your domain name doesn\u2019t appear in the Log on to<\/B> dropdown list.<\/P>\n
So how can you change the UPN for all the users in a domain? Well, it\u2019s a two-part process: first you need to get a list of all the users in the domain, and then you need to change the UPN for each one. Let\u2019s start with the first step, just for the heck of it.<\/P>\n
By far the best way to get a list of all the users in a domain is to do an Active Directory search. We\u2019ve discussed the process behind searching Active Directory in the past, so we\u2019ll just give you a sample script for now; if you\u2019d like more information on searching Active Directory, you might want to take a look at the Scripting Guys\u2019 Webcast<\/B>. For now, here\u2019s a script that returns the ADsPath for all the users in the fabrikam.com domain:<\/P>
On Error Resume Next<\/p>\n
Const ADS_SCOPE_SUBTREE = 2<\/p>\n
Set objConnection = CreateObject(“ADODB.Connection”)\nSet objCommand =   CreateObject(“ADODB.Command”)\nobjConnection.Provider = “ADsDSOObject”\nobjConnection.Open “Active Directory Provider”\nSet objCommand.ActiveConnection = objConnection<\/p>\n
objCommand.Properties(“Page Size”) = 1000\nobjCommand.Properties(“Searchscope”) = ADS_SCOPE_SUBTREE <\/p>\n
objCommand.CommandText = _\n    “SELECT AdsPath FROM ‘LDAP:\/\/dc=fabrikam,dc=com’ WHERE objectCategory=’user'”  \nSet objRecordSet = objCommand.Execute<\/p>\n
objRecordSet.MoveFirst\nDo Until objRecordSet.EOF\n    Wscript.Echo objRecordSet.Fields(“ADsPath”).Value\n    objRecordSet.MoveNext\nLoop\n<\/PRE>\n
The ADsPath, of course, provides the path to the user account in Active Directory; for example, the ADsPath for user Ken Myer might look like this:<\/P>
LDAP:\/\/CN=Ken Myer,OU=Finance,DC=fabrikam,DC=com\n<\/PRE>\n
We\u2019re retrieving the ADsPath because we need to bind to each individual user account in order to change the UPN for that account; AdsPath provides a direct route to the account, and – as well sees – enables us to bind to an account using a single line of code, and without any fancy string manipulation of any kind.<\/P>\n
So what happens after we bind to a user account? Well, we need to do two things at that point: we need to assign the user a new UPN, and then we need to call the SetInfo<\/B> method, which actually writes the new UPN to the Active Directory user account. In pseudo-code, the process looks like this:<\/P>
objUser.userPrincipalName = New UPN we\u2019re assigning the user\nobjUser.SetInfo\n<\/PRE>\n
In real code, the process of retrieving all the user accounts in Active Directory, binding to each one individually, and then assigning each account a new UPN looks like this<\/I>:<\/P>
On Error Resume Next<\/p>\n
Const ADS_SCOPE_SUBTREE = 2<\/p>\n
Set objConnection = CreateObject(“ADODB.Connection”)\nSet objCommand =   CreateObject(“ADODB.Command”)\nobjConnection.Provider = “ADsDSOObject”\nobjConnection.Open “Active Directory Provider”\nSet objCommand.ActiveConnection = objConnection<\/p>\n
objCommand.Properties(“Page Size”) = 1000\nobjCommand.Properties(“Searchscope”) = ADS_SCOPE_SUBTREE <\/p>\n
objCommand.CommandText = _\n    “SELECT AdsPath,samAccountName,userPrincipalName FROM ” & _\n        “‘LDAP:\/\/dc=fabrikam,dc=com’ WHERE objectCategory=’user'”  \nSet objRecordSet = objCommand.Execute<\/p>\n
objRecordSet.MoveFirst\nDo Until objRecordSet.EOF\n    strUser = objRecordSet.Fields(“ADsPath”).Value\n    strNewUPN = objRecordSet.Fields(“samAccountName”).Value & “@” & “contoso.com”\n    Set objUser =  GetObject(strUser)\n    objUser.userPrincipalName = strNewUPN\n    objUser.SetInfo\n    objRecordSet.MoveNext\nLoop\n<\/PRE>\n
After we retrieve the collection of user accounts, all the excitement takes place inside the Do Until loop. Inside that loop, we begin by assigning the ADsPath for user 1 to the variable strUser. Next, we construct a new UPN for the user. Typically, UPNs are composed of the user\u2019s logon name (samAccountName) followed by the domain name. Because CH\u2019s question was about changing existing UPNs, we\u2019ll do something a little different here. We\u2019ll pretend that your company has merged with another organization, and now you want users to use the new name (contoso.com) in their UPN. For example:<\/P>
kenmyer@contoso.com\n<\/PRE>\n
Therefore, we\u2019re going to construct a new UPN that consists of the samAccountName<\/B>, the @<\/B> sign, and contoso.com<\/B>, and then stash that new UPN in a variable named strNewUPN. That\u2019s what this line of code does:<\/P>
strNewUPN = objRecordSet.Fields(“samAccountName”).Value & “@” & “contoso.com”\n<\/PRE>\n
So far so good. Next, we bind to the individual user account and assign the new UPN to the user. All of that gets accomplished with just two lines of code:<\/P>
Set objUser =  GetObject(strUser)\nobjUser.userPrincipalName = strNewUPN\n<\/PRE>\n
We call SetInfo, and just like that our first user has a new UPN. We then loop around and assign a new UPN to the next user in the collection. This process continues automatically until all of our users have a brand-new UPN.<\/P>\n
We don\u2019t know how often you\u2019ll need to change the UPN for all the users in a domain, but the basic idea behind this script can be used for lots of other purposes as well. For example, you might want to change the company name for all your users, or you might want to require all your users to change their password the next time they log on. The script we\u2019ve shown you today can easily be modified to carry out any kind of task that involves modifying all the user accounts in a domain.<\/P><\/p>\n","protected":false},"excerpt":{"rendered":"
Hey, Scripting Guy! How can I assign a new UPN to all my users?— CH Hey, CH. The UPN (or User Principal Name) provides an alternate way of logging on to a domain. Typically you log onto a domain by pressing Ctrl-Alt-Delete, typing in your user name, domain name, and password, and then pressing ENTER. […]<\/p>\n","protected":false},"author":595,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[7,3,198,5],"class_list":["post-70873","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-active-directory","tag-scripting-guy","tag-users","tag-vbscript"],"acf":[],"blog_post_summary":"
Hey, Scripting Guy! How can I assign a new UPN to all my users?— CH Hey, CH. The UPN (or User Principal Name) provides an alternate way of logging on to a domain. Typically you log onto a domain by pressing Ctrl-Alt-Delete, typing in your user name, domain name, and password, and then pressing ENTER. […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/70873","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/595"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=70873"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/70873\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=70873"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=70873"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=70873"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}