As most System Administrators know, Active Directory Domains and Trusts can be used to add User Principal Name (UPN) suffixes to existing user accounts.

The default UPN suffix for a user account is the Domain Name System (DNS) of the domain on which a user account is created. You can add alternative UPN suffixes to simplify the administration and user login process by providing a single UPN suffix for all users. The UPN suffix is used only within the Active Directory forest, and is not required to be a valid DNS domain name.

Active Directory Domains and Trusts

Now, here’s a fun trick. Not everyone knows this, but you can actually do the same thing at the Organizational Unit level. In fact, it’s pretty simple. You just need to follow these steps:

  • From the Active Directory Users and Computer screen, select an Organizational Unit and click Properties
  • In the Attributes Editor tab, search for the uPNSuffixes attribute
    Organizational Unit Properties
  • From there, simply click on Edit and enter the suffixes you want to add at the organizational level

It’s one thing to know cool tricks, but you need to understand why you’d want to use them in the first place, right?

Let’s say you have different Organizational Units for different clients. This procedure will allow you to automate and customize their login while narrowing the use of the client domain name in the Active Directory to a more granular level.

I hope this trick will come in handy. If you have any tips you want to share on Active Directory Domains and Trusts, share them in the comments section!

Written by Ghislain Gamache Employee @ SherWeb

Ghislain is a Microsoft Certified Solutions Expert (MCSE) with over 14 years of experience as a System Administrator. He currently works on the IT Projects team of SherWeb’s Operations department.