4

I have 1275 UPN Suffix in the AD. This is the maximum allowed in Windows Server 2012.

$domain = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain();
$domaindn = ($domain.GetDirectoryEntry()).distinguishedName;
$upnDN = "cn=partitions,cn=configuration,$domaindn";

When I create a user using ADAC interface I cannot select an UPN with an UPN Suffix that is not listed in the ADDT UPN Suffixes.

I can however create an user using PowerShell with any UPN Suffix.

$userDN = "cn=Users,$domaindn";
$userLogin = "user@foobar.com";
New-ADUser -AccountPassword  (Read-Host -AsSecureString "Insert $userLogin Account Password") -DisplayName "" -EmailAddress $userLogin -Enabled $true -Name $userLogin -Path $userDN -PasswordNeverExpires $true -SAMAccountName $userLogin -UserPrincipalName $userLogin

This does not add the UPN Suffix as AD trusted. As far as I have tested, the user works fine.

  • What are the ill effects that might come from having a user created with an UPN which UPN Suffix is not listed in the AD Trusted UPN Suffix list?
Sandokas
  • 143
  • 6
  • 2
    You have **one thousand two hundred and seventy five** UPN suffixes in your environment? Can you explain why? I'm very curious. – MDMarra Jan 24 '14 at 14:15
  • Cutting a long story short, the applications use the Active Directory to store the users credentials with an email format. All clients have to register with a valid client company email. This email is used as the upn. – Sandokas Jan 24 '14 at 14:19

1 Answers1

4

As far as I know, the "trusted UPN list" is just what populates the dialog box when creating a new user. There are no problems with users created using any UPN via PowerShell or another API.

As far as I can remember from my days with HMC/MPS, any custom UPN (each customer would have one or multiple unique UPNs) were never added to the "UPN list", which should go to show that it is supported creating users with "non-trusted" UPNs.

Trondh
  • 4,201
  • 24
  • 27