RE: [ActiveDir] Multiple users having same UPN?

[Bernier, Brandon \(.\)]

Title: Multiple users having same UPN?

I didn't know that it had a default... I made the mistake of assuming since it showed up as not set that it didn't have a default value. So now I get to go back the person who said they tried it and hit them for lying. That's strike two for not verifying their info and believing them. This came up as a hot item and I will make it die now. Thanks again for the useful info!

 

-Brandon

---

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Wednesday, March 22, 2006 7:38 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Multiple users having same UPN?

Every user has a default UPN even if there is nothing populated, it will default to the [EMAIL PROTECTED], so say you had a domain like am.company.com and a user say like bbernie1 in that domain, even though there is no UPN populated a valid UPN for the user would be [EMAIL PROTECTED].

 

If you go to something like just using the forest root like [EMAIL PROTECTED] then you definitely will have to check for uniqueness as the system will not enforce uniqueness, it will just fail for those users with the dupes.

 

I would not assume that only admins have the same IDs in the different domains, I would be quite willing to bet that you will find that you will get burned, you need to check every single ID when configuring. I have found over the years many directories that accumulate things that others say can't exist and have learned that you shouldn't assume. This is in general and for your specific case.

 

You could always use a perl script to call out to adfind to dump a list of all samaccountnames in the forest and have it hash the results incrementing the counter for each ID and then dump out the IDs with counts greater than 1. Something like

 

print "\nFindDupeSamAccounts V01.00.00pl Joe Richards ([EMAIL PROTECTED]) March 2006\n\n";
$|=1;
my $hint=10;
print "Querying directory, please hold...\n";
my @out=`adfind -t 0 -gc -b -f "&(objectcategory=person)(samaccountname=*)" -list samaccountname`;
print "Query Completed. Processing...\n";
my %myhash=();
my %mymulti=();
my $proc="\\|/-";
my $cnt=0;
foreach $thisid (@out)
 {
  chomp $thisid;
  $thisid=lc($thisid);
  $myhash{$thisid}++;
  if ($myhash{$thisid}>1) {$mymulti{$thisid}=$myhash{$thisid}};
  $cnt++;
  if (!($cnt%$hint)) {print "\r",substr($proc,($cnt/$hint)%4,1)};
 }
print "\r";
print "Processing Completed.\n";

 

my $dupecnt=0;
map {print "$mymulti{$_}\t$_\n";$dupecnt++} sort {$mymulti{$a}<=>$mymulti{$b}} keys %mymulti;

 

print "Total IDs  : $cnt\n";
print "Total Dupes: $dupecnt\n";

should work fine. I even put a handy dandy spinner in there when processing so you know it was doing something.

 

 

--

O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 

 

 

---

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernier, Brandon (.)
Sent: Wednesday, March 22, 2006 10:25 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Multiple users having same UPN?

Hello all,

I'm mulling over this one and the more I think about this the less I like it. We have a single forest / multi-domain environment and nothing has a UPN populated. Well of course some bad apple app comes along and requires UPN's so we have to address populating UPN's across the forest.

We wanted to give everyone a UPN of [EMAIL PROTECTED], I don't see this as an issue for the joe user…unless you have user ID's with the same name in different domains (btw we do not use UPN's for logons). I know that some admins meet that criteria so how do I handle that? Search a GC to ensure it doesn't exist? That would making my script suck by having to do that for 200,000 users (I'm over exaggerating because I can limit to search only if it's an admin IDs). I'm going to see if it will even let you add dups programmatically…But in the meantime, I want to solicit feedback and see if there are other potential issues down the line by doing this.

-Brandon