Copy Mail Address to UPN

Use this script if you need to make the UPN match the email address for a single user or batch of users for purposes of a deploying a single sign on solution (such as DirSync or ADFS for Office 365).

5 Star
4,592 times
Add to favorites
Active Directory
E-mail Twitter Digg Facebook
  • Thank you!
    1 Posts | Last post July 22, 2019
    • Worked great on fairly complex setup with 300 users and more than a dozen external domains.  And I like the log file showing exactly what was changed.
  • OU wise bulk UPN change as per the email addressses
    2 Posts | Last post December 11, 2017
    • Hi Aaron Guilmette
      Hope you having a great day, thanks for the script i have downloaded it but cant figure out how to edit and which line should be edited in the script to make it work only for the specific "OU" related users bulk UPN update.  
    • Just use the -SearchBase parameter.
      For example, if the OU you want to restrict to is OU=MyUsers,DC=domain,DC=com:
      .\script.ps1 -SearchBase "OU=MyUsers,DC=domain,DC=com"
      That will capture everything underneath MyUsers and its child OUs (so, OU=SubOU1,OU=MyUsers,DC=domain,DC=com would be included).  If you want to restrict to just a single OU and prevent it from accessing child OUs, use the -SearchScope parameter:
      .\script.ps1 -SearchBase "OU=MyUsers,DC=domain,DC=com" -SearchScope OneLevel
  • Thanks for the script
    2 Posts | Last post March 27, 2017
    • Hi Aaron,
      just want to say thank you for this script. Saved me a lot of time.
    • Thank you!
  • Alternate Logon ID
    2 Posts | Last post August 02, 2014
    • Hi Aaron,
      Why dont use this ?
    • Good question. ;) But, usually for three reasons:
      1. Generally, most domain users still log in with their sAMAccountName.  Changing the UPN in this case has no effect on them, and just serves to provide a similar look and feel.
      2. Reduce incidents of duplicates and difficulty troubleshooting.  This was actually a huge issue at a recent customer. UPNs aren't checked to be unique forest-wide, so my customer ended up with a a user in one domain whose UPN was (and mail address and another user in a second child domain whose UPN was but email was, matching the UPN of a user in the first domain.
      3. It's possible that the alternate attribute ADFS claims rule gets modified or removed or overwritten or lost as a part of an upgrade and then stops working.