none
How can I Find Domain Accounts with missing UPN Suffix RRS feed

  • Question

  • We have discovered we have some domain user  accounts that do not have a UPN suffix.  So I have been asked to create a report showing domain accounts that do not have a UPN suffix.

    I have searched for some examples on how to get this information from AD but have not been able to find a solution.  I am not even sure this is possible.

    If anyone has any suggestion that would be a great help.

    I would like to be able to do this using C# if possible.  My PowerShell experience is very limited so if that is the only solution please provide as much details as possible.

    Thanks

    • Moved by jrv Wednesday, August 21, 2019 5:18 PM correct forum
    Wednesday, August 21, 2019 5:11 PM

Answers

  • I was able to solved the problem and get the data I needed using this 

    public static void GetUserInfo()
            {
                SearchResultCollection results;
                DirectorySearcher ds = null;
                DirectoryEntry de = new DirectoryEntry("LDAP://" + "DomainController", "username","password", AuthenticationTypes.Secure);
    
                // Login Name
                ds.PropertiesToLoad.Add("userPrincipalName");
                ds.Filter = "(&(objectCategory=User)(objectClass=person))";
    
                ds.PageSize = 1000;  // have to use this to get all records from AD if not I just get 1000 records
                results = ds.FindAll();
                int t = results.Count;
    
                foreach (SearchResult sr in results)
                {
                      if (sr.Properties["userPrincipalName"].Count > 0)
                            {
                        string user = (sr.Properties["userPrincipalName"][0].ToString());
                        if (!user.Contains("@myDomain"))
                        {
                            Console.WriteLine(sr.Properties["userPrincipalName"][0].ToString());
                        }
                                
                             }
                       
                }
            }

    which I found on

    This Web Site

    • Marked as answer by Perry Pierce Thursday, August 22, 2019 3:36 PM
    Thursday, August 22, 2019 3:36 PM

All replies

  • I have moved you request to the correct forum.

    Also note that you can do this with an ADUC query and export the results to Excel form ADUC.  As you Domain Admins how to do this.


    \_(ツ)_/

    Wednesday, August 21, 2019 5:20 PM
  • Hi Perry,

    Thank you for posting here.

    Based on your description, you want to find domain accounts with missing UPN.

    I find the following code, which could find domain accounts in your computer.

    As for missing UPN Suffix, you could set some conditions to filter them.

    Code:

                DomainCollection dc = Forest.GetCurrentForest().Domains;
                foreach (Domain d in dc)
                {
                    Console.WriteLine(d.Name);
                }

    Best Regards,

    Jack


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Thursday, August 22, 2019 5:53 AM
    Moderator
  • Try the following code and see if it works for you.

    using System.DirectoryServices;
    using System.DirectoryServices.ActiveDirectory;

    public static void FindUserWithoutUPNSuffix(string suffix) { DirectoryContext dirCtx = new DirectoryContext(DirectoryContextType.Domain, "yourdomain.com"); using (Domain usersDomain = Domain.GetDomain(dirCtx)) using (DirectorySearcher adsearcher = new DirectorySearcher(usersDomain.GetDirectoryEntry())) { adsearcher.Filter = "(&(sAMAccountType=805306368) (!(userPrincipalName=*" + suffix + ")))"; adsearcher.SearchScope = SearchScope.Subtree; adsearcher.PropertiesToLoad.Add("distinguishedName"); SearchResultCollection searchResults = adsearcher.FindAll(); foreach (SearchResult searchResult in searchResults) { if (searchResult.Properties["distinguishedName"].Count > 0) { Console.WriteLine(searchResult.Properties["distinguishedName"][0]); } } } }

    The constant used for querying sAMAccountType (i.e.: 805306368) is for user accounts, while the constant for Machine Accounts would be 805306369.

    If you pass empty string to the function, it will help you find accounts without UPN at all instead. (Usually because someone deleted it.)





    Thursday, August 22, 2019 6:26 AM
    Answerer
  • Thank you very much cheong00 your code worked as expected and did return all accounts with no UPN.

    How would I modify the search to only show accounts that are missing the domain name for the UPN?

    I am sure it would be in this line of code but cannot find any documentation that explains how to filter for a empty suffix

    adsearcher.Filter = "(&(sAMAccountType=805306368) (!(userPrincipalName=*" + suffix + ")))";

    Since I have very little experience working with active directory and LDAP queries could you show me how to modify your query to show user accounts with no UPN suffix.

    ScreenShot

    Thursday, August 22, 2019 1:21 PM
  • I was able to solved the problem and get the data I needed using this 

    public static void GetUserInfo()
            {
                SearchResultCollection results;
                DirectorySearcher ds = null;
                DirectoryEntry de = new DirectoryEntry("LDAP://" + "DomainController", "username","password", AuthenticationTypes.Secure);
    
                // Login Name
                ds.PropertiesToLoad.Add("userPrincipalName");
                ds.Filter = "(&(objectCategory=User)(objectClass=person))";
    
                ds.PageSize = 1000;  // have to use this to get all records from AD if not I just get 1000 records
                results = ds.FindAll();
                int t = results.Count;
    
                foreach (SearchResult sr in results)
                {
                      if (sr.Properties["userPrincipalName"].Count > 0)
                            {
                        string user = (sr.Properties["userPrincipalName"][0].ToString());
                        if (!user.Contains("@myDomain"))
                        {
                            Console.WriteLine(sr.Properties["userPrincipalName"][0].ToString());
                        }
                                
                             }
                       
                }
            }

    which I found on

    This Web Site

    • Marked as answer by Perry Pierce Thursday, August 22, 2019 3:36 PM
    Thursday, August 22, 2019 3:36 PM
  • Actually I expect you to pass "myDomain" to find all entities that is not ended in "myDomain".

    "*" here is wildcard character. "userPrincipalName=*myDomain" will return all AD accounts with "userPrincipalName like '%myDomain'" as in SQL statement.

    "!" here is inverse/not operator, therefore will give you the "userPrincipalName not like '%myDomain'" effect.

    Friday, August 23, 2019 1:06 AM
    Answerer