Home/ Questions/Q 9174961
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-17T16:50:17+00:00

I am writing up a Powershell Script to automatically pulling info from one database

  • 0

I am writing up a Powershell Script to automatically pulling info from one database to update Active Directory, e.g. adding new users.

I am new to Active Directory and am using this useful graphic maps to link UI label to AD attributes

I would expect the UserPrincipalName, e.g. tina.Tana@example.com, is the unique identifier of user accounts.

But during testing, it turns out otherwise. If I do:

$status = New-QADUser -FirstName 'Tina' -LastName 'Tana' -Name 'Tina A Tana' `
            -UserPrincipalName 'tina.tana@example.com' `
            -ParentContainer 'OU=OU2,OU=OU2,DC=example,DC=com'
$status = New-QADUser -FirstName 'Tina' -LastName 'Tana' -Name 'Tina B Tana' `
            -UserPrincipalName 'tina.tana@example.com' `
            -ParentContainer 'OU=OU2,OU=OU2,DC=example,DC=com'

2 accounts will be both created OK, with the only difference being the -Name field.

If I do:

$status = New-QADUser -FirstName 'Tina' -LastName 'Tana' -Name 'Tina Tana' `
            -UserPrincipalName 'tina.tana-1@example.com' `
            -ParentContainer 'OU=OU2,OU=OU2,DC=example,DC=com'
$status = New-QADUser -FirstName 'Tina' -LastName 'Tana' -Name 'Tina Tana' `
            -UserPrincipalName 'tina.tana-2@example.com' `
            -ParentContainer 'OU=OU2,OU=OU2,DC=example,DC=com'

The difference is only the -UserPrincipalName . the 2nd add-user will fail, PS says user already created. I tried other combinations, but it indicates -Name must be unique, other fields do not matter.

Have I missed anything? It seems to me that people can have a same name, but the when creating an account, the user principal name SHOULD be unique. (When you manually create a new user AD account using AD User and Computers GUI tool, if you give a same logon name (i.e. userPrincipalName) to different people, the tool will tell you you must give a different logon name.

So why is it different when doing it from Powershell using Quest Add-QADUser? Why when doing it from Powershell, the command will be executed successfully?

puzzled!
Many thx for your input!

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Read this microsoft KB and this msdn library

    Active Directory itself does not enforce uniqueness of a UPN. The process that creates or modifies the UPN is responsible to check for uniqueness (this is done by querying the global catalog).
    Probably New-Qaduser doesn’t do this check.

    Usually the unique identifyer for an user is the samAccountName.
    If you don’t set the UserPrincipalName AD build a default one:
    the user principal name has two parts: the UPN prefix (the user account name) and the UPN suffix (a DNS domain name). The parts are joined together by the at sign (@) symbol to make the complete UPN. For example, the user Someone who has an account in the Example domain would have a UPN of “someone@example.com”.

    • 0