User-Principal-Name

A string property that specifies the user principal name (UPN) of the user in the form of an internet-style login name such as example@microsoft.com.

Attribute propertyValueDescription
adminDisplayNameUser-Principal-Name Display name of this object for use in directory service administrative tools.
adminDescriptionUser-Principal-Name Description of this object for use in directory service administrative tools.
cnUser-Principal-Name Common name.
lDAPDisplayNameuserPrincipalName The name used by LDAP clients to refer to the object's class.
attributeID1.2.840.113556.1.4.656 A unique OID that identifies the attribute.
objectClassAttribute-SchemaThe class of which this object is an instance.
objectCategoryAttribute-SchemaReference to an object class or one of its superclasses, which is used when searching for this object.
schemaIDGUID{28630EBB-41D5-11D1-A9C1-0000F80367C1} A GUID that uniquely identifies this object. You can use this string value in an ACE to control access to objects of this object.
attributeSyntax2.5.5.12 An OID of a syntax. The combination of the attributeSyntax and oMSyntax properties determines the syntax of an attribute.
oMSyntax64 Syntax of this attribute as defined by the XAPIA XOM (X/Open Object Model) specification.
isSingleValuedTRUE TRUE means that the attribute has a single value, FALSE means that the attribute can have multiple values.
attributeSecurityGUID{E48D0154-BCF8-11D1-8702-00C04FB96050} An optional GUID that identifies the attribute as a member of an attribute set(also known as a property set).
isMemberOfPartialAttributeSetTRUE TRUE means that the attribute is replicated to the global catalog. FALSE means that the attribute is not included in the global catalog.
searchFlags1 An integer value whose least significant bit indicates whether the attribute is indexed. The four bit flags in this value are:
1 = Index over attribute only
2 = Index over container and attribute
4 = Add this attribute to the Ambiguous Name Resolution set, used together with 0x0001
8 = Preserve this attribute in the tombstone object for deleted objects.
showInAdvancedViewOnlyTRUE TRUE means that the object will apear in the Advanced View of the Users and Computers snap-in only, but not in the Windows shell.
FALSE means that the object will appear in Normal view of the Users and Computers snap-in and the Windows shell.
systemFlags18 An integer value that contains flags that define additional properties of this object. Category 1 classes or attributes have the 0x10 bit set by the system and cannot be set by users. They are shipped with Active Directory. For more information, see ADS_SYSETMFLAG_ENUM enumeration in ADSI Reference.
systemOnlyFALSE TRUE means that only Active Directory can modify the class of this object. FALSE means users can make the modification as well.

RemarksThe UPN is an Internet-style login name for the user based on the Intrnet standard RFC 822. The UPN is shorter than the distinguished name and is easier to remember. By convention, this should map to the user's e-mail name. The point of the UPN is to consolidate the e-mail and logon namespaces so that the user need only remember a single name. The UPN is the preferred login name for Windows® 2000 users. Users should be using their UPN to log on to the domain. At logon time, a UPN is validated first by searching the local domain, then the Global Catalog (GC). Failure to find the UPN in the local domain or the GC results in rejection of the UPN.
The UPN can be assigned, but is not required, when the user account is created. Once assigned, the UPN is unaffected by changes to other properties of the user object (for example, if a parent domain was renamed or a domain was moved). Thus, a user can keep the same login name, although the directory may be radically restructured. Note that the UPN can be administratively changed at any time.
Note that the UPN is a string property that can contain any string value. However, the following scheme is recommended:
The user principal name has two parts: the UPN prefix (the user account name) and the UPN suffix (a DNS domain name). The parts are joined together by the @ (at sign) symbol to make the complete UPN. As shown in the Comments section, an example of this construction is example@microsoft.com.
The UPN must be unique among all security principal objects within the directory forest. By default (that is, for the built-in user accounts and user accounts created using the Active Directory™ Users and Computers snap-in), the UPN can consist of any name for the user (such as the sAMAccountName property of the user) and the domain tree name to which the user belongs in the following form:
Name@treeName
The treeName is the domain name system (DNS) name of a domain, but is not required to be the name of the domain containing the user. However, the treeName portion of the UPN must be the name of a domain in the current forest or an alternate name listed in the upnSuffixes property of the Partitions container within the Configuration container. You can add or remove UPN suffixes by modifying the upnSuffixes property (or by choosing Properties for the root node of the Active Directory Domains and Trusts and modifying the UPN suffixes on the UPN Suffixes tab). Usually, the treeName is the name of the first domain in the first tree of the forest. In most cases, this domain name is the domain name registered as the enterprise domain on the Internet. The tree name is stored in a property ("treeName") stored on the domainDNS object.
When creating a new user object, you should check the local domain and the Global Catalog for the proposed name to ensure it does not already exist.