Script Repository


Assign UPN suffix based on property of user account

April 25, 2017
2586

The script assigns a UPN suffix to a user based on the value of a certain property of the user account. For example, you can set a UPN suffix based on the department of the user specified in AD.

To add such functionality to your environment, create a Business Rule that runs the script after creating a user.

Parameters:

  • $propertyName - specifies the LDAP display name of the property on which UPN suffixes depend;
  • $upnSuffixMap - specifies a map of the property value and the corresponding UPN suffix. One suffix can be mapped to multiple values.
Edit Remove
PowerShell
$propertyName = "department" # TODO: modify me
$upnSuffixMap = @{
    "sales.domain.com" = @("Sales")
    "helpdesk.domain.com" = @("Help Desk 1", "Help Desk 2")
} # TODO: modify. Example: $upnSuffixMap = @{"<UPN Suffix>" = @("<Property Value 1>", "<Property Value 2>")}

# Get property value
try
{
    $value = $Context.TargetObject.Get($propertyName)
}
catch
{
    return # Property is empty
}

# Get UPN Suffix
$upnSuffix = $NULL
foreach ($item in $upnSuffixMap.GetEnumerator())
{
    if ($item.Value -notcontains $value)
    {
        continue
    }
    
    $upnSuffix = $item.Key
    break
}

if ([System.String]::IsNullOrEmpty($upnSuffix))
{
    $Context.LogMessage("UPN suffix is not specified for '$value'. Default UPN suffix will be used.", "Warning")
    return
}

# Get UPN
$userPrincipalName = "%userPrincipalName%"
if ([System.String]::IsNullOrEmpty($userPrincipalName))
{
    $Context.LogMessage("Cannot assign a UPN suffix because the user logon name is empty", "Warning")
    return
}

# Build new UPN
$userPrincipalName = $userPrincipalName.SubString(0, $userPrincipalName.IndexOf("@")) + "@$upnSuffix"

# Save changes
$Context.TargetObject.Put("userPrincipalName", $userPrincipalName)
$Context.TargetObject.SetInfo()


Comments ( 6 )
avatar
MG
January 23, 2020

What if I wished to only assign a different logon domain for a specific attribute (say for example CompanyB) but for all other values (CompanyA, CompanyC...CompanyZ) then a default Logon Domain should be assigned?

avatar
Support
January 23, 2020

Hello,

In this case, you need to specify a UPN suffix only for the CompanyB value of the proeprty in the $upnSuffixMap variable. In all other cases, the script will use the default suffix.

avatar
MG
January 23, 2020

Thanks. But what if I wished to use as "default" a domain that is different from the main AD domain?

say that the directory is called domain.company.com but our default domain for email is ourcompany.com and that is also available as Logon domain in AD?

avatar
Support
January 23, 2020

Hello,

In this case, you need to add a mapping for all the values expect CompanyB to the $upnSuffixMap variable with the required suffix. For example:

Edit Remove
PowerShell
$upnSuffixMap = @{
    "sales.domain.com" = @("CompanyB")
    "mycompany.domain.com" = @("CompanyA", "CompanyC", "CompanyD", "CompanyE")
}

Alternatively, you can just hardcode the requoried UPN suffix that will be used for all the values except CompanyB. If you ahve issues updating the script accordingly, we will help you.

avatar
MG
January 27, 2020

Thanks for your answer.
Then hardcoding is the best solution for us.

We only wish to assign a different UPN logon domain for specific companies, while everybody else should get the main domain we use.

How do you suggest to modify the script for such purpose?

avatar
Support
January 27, 2020

Hello,

 

Thank you for the provided details. In this case, you need to specify a mapping for all custom suffixes and property values in the $upnSuffixMap variable. The property values that should match the default UPN suffix can be omitted as it will be used by default for all the unspecified values. Finally, you should have something like the following:

Edit Remove
PowerShell
$upnSuffixMap = @{
    "companyb.domain.com" = @("CompanyB")
    "companyd.domain.com" = @("CompanyD")
    "companyf.domain.com" = @("CompanyF")
}

Leave a comment