Script Repository

Set UPN suffix based on Organizational Unit

February 22, 2021

The script sets a UPN suffix for a user based on the Organizational Unit where the user is located. If multiple UPN suffixes are defined, the 1st one in the list is used.

Possible UPN suffixes are specified via the UPN-Suffixes (LDAP name: uPNSuffixes) attribute of an Organizational Unit.

You can add the script in Adaxes business rules, custom commands and scheduled tasks using the Run a program or PowerShell script action. For example, you can create a business rule that run it immediately after creating a user.

Edit Remove
# Bind to the container where the user is located
$parent = $Context.BindToObject($Context.TargetObject.Parent)

function GetUpnSuffix ($containerDN)
    # Check container DN
    $dn = New-Object "Softerra.Adaxes.Ldap.DN" $containerDN
    if ($dn -eq "%adm-DomainDN%")
        return $NULL # The user was created in the root of the domain
    # Bind to the parent
    $parent = $Context.BindToObjectByDN($dn)
    # Get UPN suffix from parent
        $upnSuffixes = $parent.GetEx("uPNSuffixes")
        return $upnSuffixes[0]
        # Try getting UPN suffix from upper-level containers
        $upnSuffix = GetUpnSuffix $dn.Parent
    return $upnSuffix

# Get UPN suffix
$path = New-Object "Softerra.Adaxes.Adsi.AdsPath" $Context.TargetObject.Parent
$upnSuffix = GetUpnSuffix $path.DN

if ([System.String]::IsNullOrEmpty($upnSuffix))
    return # Cannot get UPN suffix from all parents

# Get User Principal Name
$userPrincipalName = "%userPrincipalName%"
if ([System.String]::IsNullOrEmpty($userPrincipalName))
    $Context.LogMessage("Cannot assign a UPN suffix because the user does not have a User Principal Name", "Error")

# Build new User Principal Name
$userPrincipalName = $userPrincipalName.SubString(0, $userPrincipalName.IndexOf("@")) + "@" + $upnSuffix.Trim("@")

# Update User Principal Name
$Context.TargetObject.Put("userPrincipalName", $userPrincipalName)

Comments ( 0 )
No results found.
Leave a comment