Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Missing UPN for Built-in Administrator Account

467 views
Skip to first unread message

Tal

unread,
May 17, 2006, 7:03:02 AM5/17/06
to
Hello All.

Can someone figure out why the Administrator account (even for a 2003 Domain
controler) by default has no UPN ("User logon name:") defined?

Every other new user will have a UPN set up, but not the Administrator.

Why is that?


Thanks I.A
--
Tal.

Richard Mueller

unread,
May 17, 2006, 10:07:00 AM5/17/06
to
Tal wrote:

> Can someone figure out why the Administrator account (even for a 2003
> Domain
> controler) by default has no UPN ("User logon name:") defined?
>
> Every other new user will have a UPN set up, but not the Administrator.
>
> Why is that?

Hi,

The userPrincipalName attribute is not mandatory. I have created many users
with no value assigned. If no value is assigned, the user can still logon
with the name in the form sAMAcco...@domain.com, where domain.com is the
DNS name of the domain (the UPN suffix). sAMAccountName is the NT name of
the user, called the "pre-Windows 2000 logon name" in ADUC. Administrator
can logon as Admini...@domain.com.

--
Richard
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net


Joe Richards [MVP]

unread,
May 17, 2006, 9:46:40 PM5/17/06
to
There is a default, it doesn't have to be populated. It is only ever populated
if someone used a tool that populated it - say like ADUC.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

Tal

unread,
May 18, 2006, 5:57:01 AM5/18/06
to
Thanks for the answer.

When I try to convert "Domain\User" to UPN using TranslateName() API, it
fails with error 0x534. Only after I fill the "User logon name" and @domain
suffix, it works.

So I still wonder why can't TranslateName() figure out automaticly the __
assumed __ UPN.

Is there a diffrent API I can use?

Thanks I.A
--
Tal.

Richard Mueller

unread,
May 18, 2006, 3:29:54 PM5/18/06
to
I have seen the same thing. When using NameTranslate to convert
Domain\sAMAccountName to UPN, an error is raised by the Set method if the
Domain\sAMAccountName is not found, and an error is raised by the Get method
if the corresponding UPN has no value. You could trap the error raised by
the Get method and assume the default value for UPN, which is
sAMAcco...@domain.com.

--
Richard
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net

"Tal" <T...@newsgroups.nospam> wrote in message
news:EA9E480A-31B4-4C64...@microsoft.com...

Tal

unread,
May 21, 2006, 2:20:01 AM5/21/06
to
Hello Richard.

I don't think I can assume the defult UPN == sAMAcco...@domain.com
since domain suffic for UPN is (most of the times) diffrent than the
Domain\sAMAccountName.

Joe Richards [MVP]

unread,
May 21, 2006, 10:24:13 AM5/21/06
to
The default UPN of an account (the UPN that an account has if you don't set any
userPrincipalName value) is <sAMAccountName>@<DNS Name of domain user is a
member of>. So if you have a user bob in domain hello.com their default UPN
absolutely is b...@hello.com.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

Tal

unread,
May 22, 2006, 2:22:02 AM5/22/06
to
Hello Joe.

You are right, as long as I know bob's external domain name is 'hello.com' .
But if bob internal domain name is "hello.lan" (or "HELLO-AAA"), and the
external domain name is "hello.net", how can I figure out "HELLO-AAA\bob"
default UPN is "b...@hello.net" ?

The TranslateName API fails, do you know of a diffrent API that can do the
same?

Thanks.
--
Tal.

Joe Richards [MVP]

unread,
May 22, 2006, 3:20:57 AM5/22/06
to
I am not telling you how to decode what the UPN may be, I am telling you what
the default UPN actually is. Doesn't matter if translatename can figure it out
or not, that is what it is.

There is no such thing as external/internal domain name. The domain name is the
DNS domain name of the domain. So if bob is in the domain hello.lan, his default
UPN is b...@hello.lan. If bob in hello.lan has a UPN of b...@hello.net, the
userPrincipalName is populated.

I don't often use the layers above the LDAP API because you have to depend on
the stuff being done right which in this case seems not to be the case for you.
If I needed to work out the UPN of a user I would write my own function to do
it, the first thing I would do is look up the DNS name of the NetBIOS name
specified from the partitions of the forest. Then I would search the appropriate
domain for the sAMAccountName, look at the UPN, if it isn't populated then I
would use the default UPN which again is <sAMAccountName>@<domain DNS Name>

joe

0 new messages