What is UPN - User Principal Name
What is UPN
User Principal Name (UPN) attribute in Microsoft Active Directory is userPrincipalName, and its value may be set as user's email address, though not necessarily. You can view UPN via the AttributeEditor property of a user's account in Active Directory, see below screenshot that shows Attribute name as userPrincipalName and its Value set as testuser1@DC1.example.com
Note: UPN is an attribute and its value can be set to any value. However it is commonly set as user's email address. Setting UPN as email address is good idea since email address for any user is unique value in an organization. When Smart Card is used to logon to Active Directory, the UPN value in the Certificate contained in user's Smart Card should match the user's UPN value in Active Directory.
sAMAccountName is unique in a domain, however it is not guaranteed to be unique across multiple domains in a given Forest. Hence it is possible for two users in different domains under the same Forest to have the same sAMAccountName. It is good practice to maintain unique sAMAccountName in a AD forest. However, UPN is guaranteed to be unique across a AD forest.
Active Directory is the Windows implementation of a general-purpose directory service, which uses LDAP as its primary access protocol. Active Directory stores information about a variety of objects in the network such as user accounts, computer accounts, groups, and all related credential information used by Kerberos. Active Directory is either deployed as Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS).
References
[1] Microsoft link for User Naming Attributes
[2] Enabling Smart Card Authentication with Active Directory
You can also derive the UPN from the user's Account - User logon name, in Active Directory. See below concatenation of user logon name and domain suffix - testuser1 and DC1.example.com. Concatenating these two (as shown in the screenshot below) yields testuser1@DC1.example.com which is the email address of the user. (Note in Pre-Windows 2000 the User logon name is DC\testuser1)
How to view Attribute Editor in Active Directory
You have to select Advanced Features (right click on the Domain Controller DC1.example.com on the left pane, click on View and then click Advanced Features) in order to view the Attribute editor Property. See below Advanced Features option is checked
Similarly you can view the user's sAMAccountName (via the Attribute Editor Property) - Attribute name is sAMAccountName and its Value is set as testuser1
See below screenshot showing the sAMAccoutName and its value
See below screenshot showing the sAMAccoutName and its value
The sAMAccountName of a user is derived from the user's Account, as shown below
Note: UPN is an attribute and its value can be set to any value. However it is commonly set as user's email address. Setting UPN as email address is good idea since email address for any user is unique value in an organization. When Smart Card is used to logon to Active Directory, the UPN value in the Certificate contained in user's Smart Card should match the user's UPN value in Active Directory.
sAMAccountName is unique in a domain, however it is not guaranteed to be unique across multiple domains in a given Forest. Hence it is possible for two users in different domains under the same Forest to have the same sAMAccountName. It is good practice to maintain unique sAMAccountName in a AD forest. However, UPN is guaranteed to be unique across a AD forest.
Active Directory is the Windows implementation of a general-purpose directory service, which uses LDAP as its primary access protocol. Active Directory stores information about a variety of objects in the network such as user accounts, computer accounts, groups, and all related credential information used by Kerberos. Active Directory is either deployed as Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS).
References
[1] Microsoft link for User Naming Attributes
[2] Enabling Smart Card Authentication with Active Directory
tiamulime Brenda Anderson https://wakelet.com/wake/fvZhiGPUkJ_40P1QQpxlv
ReplyDeletertherynmensio
spinirFprov-zo Sharon Cook WonderShare Recoverit
ReplyDeleteUnHackMe
Avast Premier
ligangtergder