One thing that is constantly causing issues for us is accounts in AD that have incorrect UPNs. By incorrect, I mean the suffix is not @abc.com, but rather @test.abc.com. If the UPN of the AD account is not always employeeID@abc.com, lots of stuff breaks, like IWA, password sync, user attribute import/export. Is it possible to run something that enumerates the UPN for all users and dump the ones that don't have the correct suffix? This way, I can get the output list that this script generates and contact those folks that are creating accounts incorrectly. Any help with this would be greatly appreciated. Thanks.