Get User Principal Name – Part II
Whilst I was researching an unrelated issue, I happened upon the following article: http://serverfault.com/questions/591836/access-an-ad-attribute-in-a-first-time-logon-scenario
Whilst the user was looking to put the userSharedFolder attribute into an environment variable, the solution allows almost any Active Directory attribute to be access and stored, including the User Principal Name. It uses a feature of Group Policy Preferences that I wasn’t previously aware of.
I prefer this to my previous solution, as it allows for centralised management, whereas, with PowerShell, I have to push the script out to the workstations somehow.
Here are the instructions on creating the Group Policy Preferences Environment Variable:
- Create a new GPO (or edit one that has user settings)
- Go to User Config -> Preferences -> Windows Settings -> Environment
- Create a new Environment variable
- Action: Update
Select: User Variable
Name: UPN
Value: %_UPN% - Click the Common tab.
- Enter a description: “Create an environment variable called UPN and populate it with the UserPrincipalName attribute for the user, as held in Active Directory.”
- Tick “Item-level Targeting” and click “Targeting…”
- Select New Item -> LDAP Query
- Filter: (&(objectClass=user)(sAMAccountName=%USERNAME%))
Binding: LDAP:
Attribute: userPrincipalName - Environment variable name: _UPN
- Click OK, OK
You can then reference the environment variable subsequent scripts that run after the GPO has applied.
It may be possible, by using multiple filters, to build a variable from different Active Directory attributes, but I haven’t tried this.