Active directory user accounts

I have my domain accounts set up with user names not email addresses.  How Can I make it so they can authentic with email address instead of user accounts
Tim DawsonIT ManagerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Your not specifying where they authenticate, usernames in an admin iron ent have the format of username@addomainname the addomainname is set when the system onto which they login is joined to the domain.

Presumably you have addomainname.local while your public email is
An ad user can have multiple email addresses, aliases, ......
Tim DawsonIT ManagerAuthor Commented:
You are correct.  They authentic with user.doman.local.   I need them to authentic with
Is this a specific application where you have this requirement, if so, you would have to build the email to user translation mechanism.

Not sure whether a user can have two entries or the AD defined with addminanme.local as primary when used to join while accepting as a reference/acceptable substitute.  It is possible for email. I have to recheck the AD structure whether a user record can have multiple username@ type of records.
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Tim DawsonIT ManagerAuthor Commented:
Yes application needs this. How do I build the mechanism?
Is the users's email with which you want them to access part of their user AD contact set?  You would need to search through the AD to locate the username whose email is being provided and use it with the password the user provides to validate.

By the sounds of it you would like to have what is called a different UPN (userPrincipalName) suffix. A UPN suffix is the domain portion of a users login in a domain environment. You can login with UPN or sAMAccountName (the one without the domain suffix) - I believe MS best practice is to now use UPN.
Remember, UPN suffix is the domain portion of a whole UPN.


By default, the UPN suffix will be @<ADDomain> - i.e. myad.local or myad.internal or whatever the domain/forest name is. Thus, a default UPN would generally be <login>@<ADDomain>.

You can change this by changing the UPN suffix of a user.

To add a new UPN suffix to your forest, see the below step (from microsft):


Open Active Directory Domains and Trusts.


Right-click Active Directory Domains and Trusts in the Tree window pane, and then click Properties.


On the UPN Suffixes tab, type the new UPN suffix that you would like to add to the forrest.


Click Add, and then click OK.

Once you add a new suffix (such as '' rather than 'ADDomain.local') you can then select this as a suffix for a users UPN. There's a dropdown next to the UPN on the account tab of users which should have two options once you have added your new UPN suffix as above.

I know the above works when logging into domain joined workstations, as my domain has 30 or so UPNs for different tenants - these additional UPNs reflect the users 'real' or 'external' email domain, thus allowing users to login using '' rather than 'login@internalADDomain.local'.

If your applications allows login using '<login>@<ADDomain>' then it must allow login using the users UPN. Thus, doing the above should work for you, because the above simply changes the UPN to a desired value. Just be aware that you can only use one suffix at a time. So changing a users suffix to '' will mean they cannot login with the internal, default, UPN suffix.
Overall, if your application supports login with UPN (not just sAMAccountName) the above should help.

I hope that helps...if you take anything away from the above, it is that adding a new UPN suffix may fix this for you in quite an easy way.

If you need anything further, address my username in a future post and I'll accommodate where possible.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Tim DawsonIT ManagerAuthor Commented:
Ok let me explain better.  I have outlook web access site set up as:  
The user logs in using  <ADAccount> and password.   The AD account user name is something like john245.  He has an email address:  jsmith@<domain>.com
My application needs the login account to be the e-mail address not the john245.
Now that you provided detail, searching for "change exchange owa login use" Displays an assortment of responses some whose links I can not place here.

The powershell Exchange cmdlet that will deal with altering the login from the username to the AD based domain name is:

The implication though as gwickert pointed out is that the user will have to use the to access all resources once this change is made.

An alternative is post processing you know the username, so the email being accessed is known as well ....
Or there is more detail that could further this along?
Hi Tim,

In that case, you can set OWA to use UPN as the login attribute. I actually think more recent (perhaps 2007 plus, don't quote me) allow login via UPN by default. You would then go through my above post of adding a UPN suffix of '', set that on all users, then it should work.

Further to the above, I read some anecdotal evidence on another site which said that setting UPN to have a custom suffix will NOT stop the default UPN suffix from working. I can't confirm this, so testing would be required.

Hope this helps.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Email Clients

From novice to tech pro — start learning today.