The larger an IT organization is the more struggling you face when needing changes in Active Directory. An action that technically takes 60 seconds to complete may take a few days if you have to comply with the customer procedures. This is for example the case when you need to add a custom user Principal Name (uPN) suffix to a user. Normally you would add the suffix on domain level in Active Directory Domains and Trusts. But wait, did you know you can also change it on Organization Unit level?
Last week I was visiting a customer. He asked me to set up a Windows Intune pilot environment with SCCM2012 integration. “Sure, no problem”, I told him, “It will take a day, I guess.”
Everything went smoothly until the moment I was about to set up the AD Synchronization with Azure AD. The customers’ uPN suffix was mycompany.local. However if you want to do one-way synchronization from your on-premise Active Directory to Azure AD, the uPN must be resolvable on the internet. For example: the uPN itexperience.net or microsoft.com is resolvable while mycompany.local is not.
The customer didn’t want to add an uPN suffix on domain level without preparation. Some research luckily helped me out: it’s possible to set up a custom uPN for only one Organization Unit.
Below I’ve written down how to add a custom uPN to just one Organizational Unit. The steps are numbered and correspond with the numbers in the screenshots
- Open Active Directory Users and Computers
- Click View (1) and tick Advanced Features (2)
- Right-click the OU you want to modify for the UPN and click Properties
- Go to tab Attribute Editor (3), and scroll down to uPN Suffixes (4)
- Double-click uPN Suffixes (4)
- In the Multi-valued String Editor window, type your uPN and click Add (5). After you’re done, click OK (6)
- Open the Properties of a user located in the OU. Click the tab Account (7)
- Note that you can now select a custom defined uPN (8)
As you can see it still takes 60 seconds to add a custom uPN suffix to a user, albeit only for an Organization Unit, not for the whole domain.
I don’t advise you to use this solution on permanent bases. But for just a pilot it’s a great way to work around your company’s change processes.
Feel free to leave a comment if you have any questions or remarks according to this post. Cheers!