Windows 10: Create new UPN suffix for non domain users

I have created a PowerShell script to create new users in Windows 2022 AD. The user running the script is not included in any privileged groups - but has delegated rights to one organization unit. The active directory holds multiple customers - and each customer needs a specific UPN suffix.My problem is to create a new UPN in the forest for a user without special permissions - and I can't find a solution for this without giving the user to much access. Anyone have a solution?

:)

 

We can't sign you in with this credential because your domain isn't available.

I am getting this error message while changing password of my domain account. I have alternate UPN suffixes in my AD DS, i.e. contoso.com.np as Primary domain name and contoso.com as alternate UPN suffix. Please suggest the solution for this error.

 

ADMT 3.2 User Migration issue

Hi,

I am using ADMT 3.2 inter-domain user Migration with in the forest.

After the migration below issues are occurring:

1. UPN suffix is getting changed- I know this is common but its not setting it to the destination domain suffix instead using one of my email domain suffix which i have manually added in UPN suffixes under Domains and Trusts.

2. "user must change password at next logon" getting checked.

3. While checking the creation date i found the user is showing as a newly created user at the Destination and SiDhistory is showing some values which is contradicting and of course i am doing migration and not newly creating the users in the Destination
domain.

checked GPO and nothing is related to this.

checked UPNSuffix attribute for the domain if that is hardcoded somehow via GPO or OU properties but this is not the case either.

Is there something needs to be checked at ADMT or this is related to something else, please help me with your feedback.

Thanks,

AS

 

Should Hybrid joined computers allow login with UPN first

Hi, I'm looking to understand if hybrid domain joined computers should be able to logon with the users UPN in the first instance when no direct line of site to an on premises domain controller.

We have examples at our organisation where a user is permanently based offsite and we wish to send them a brand new computer that they have not logged onto before. Currently we either ask them to come collect the computer and log onto it before taking it
away or we set them up with a local account (really want to move away from this option).

We have implemented hybrid domain joined computers as we cannot move away from group policy at this stage but none of our hybrid domain joined computers allow UPN login when no line of site to a domain controller. Is this normal behaviour?

Note: UPN logon does work if line of site to a domain controller and with locally cached username.