0

I have a server(windows server 2012) that had Windows AD(Active Directory) installed and is used as part of an application that I maintain. Most of the time my application programmatically manages this server, adding, editing, and removing users as it see's fit. However occasionally I want to make modifications by hand, for example I want to add a user.

Typically I use the "Active Directory users and Computers" snap-in via MMC. However when I attempt to create the user through this application I am presented with a interesting issue:

enter image description here

Windows forces me to append a suffix matching the name of my AD instance.

If I try the same thing through the "Active Directory Administrative Center" I have a similar issue:

enter image description here

For some reason windows doesn't allow me to create users without this mandatory suffix. However I don't seem to have this issue when I create users programmatically. The application that I work with depends on users not having a suffix.

How to I get around AD's requirements in the UI(Add a user with a blank suffix)?

Why does AD even have this requirement in the front end, but not when adding users programmatically?

David Rogers
  • 215
  • 2
  • 11
  • Why do you need a user with out the domain suffix? – SpiderIce Sep 06 '17 at 17:55
  • The software contains users without suffixes("Admin"), but as I look into it, it seems that the suffix doesn't affect the software for users without one. I also have users with a different suffix(Test@Test.com), it doesn't seem that I can do that via the interface either, but I think that's a separate question... – David Rogers Sep 06 '17 at 18:03
  • Correct, what your seeing is the standard way AD works. It will only show you the suffix that are are configured in AD, it will default to the domain name. I'm not sure why an application can bypass that or pick a different one. I have seen with some software that it will show something different because it can't read the info from ad. That suffix won't normally effect anything for applications. – SpiderIce Sep 06 '17 at 18:17
  • Seems [this](https://support.office.com/en-us/article/How-to-prepare-a-non-routable-domain-such-as-local-domain-for-directory-synchronization-e7968303-c234-46c4-b8b0-b5c93c6d57a7) is how you add new non-default suffixes. Of course if you do it programmatically you don't need to add it to the trust. – David Rogers Sep 07 '17 at 21:32

1 Answers1

2

All users in AD have a UPN suffix whether you explicitly add it or not. When you create users via code, the userPrincipalName attribute may be getting created automatically based on the domain's FQDN. But per jscott's comment below, it is actually not required.

However, the application you're working with doesn't likely require users to not have a suffix. It is likely just querying an attribute where the suffix isn't present (like sAMAccountName).

Ryan Bolger
  • 16,755
  • 4
  • 42
  • 64
  • The `userPrincipalName` is not a mandatory attribute of the user class. [You can create users without it](https://serverfault.com/questions/503845/does-the-userprincipalname-upn-attribute-always-exist-in-active-directory). There is no user class attribute for storing the suffix separately. – jscott Sep 06 '17 at 17:24
  • Huh. You learn something new every day, I suppose. – Ryan Bolger Sep 06 '17 at 17:32