Get User Principal Name – Part II

Whilst I was researching an unrelated issue, I happened upon the following article: http://serverfault.com/questions/591836/access-an-ad-attribute-in-a-first-time-logon-scenario

Whilst the user was looking to put the userSharedFolder attribute into an environment variable, the solution allows almost any Active Directory attribute to be access and stored, including the User Principal Name. It uses a feature of Group Policy Preferences that I wasn’t previously aware of.

I prefer this to my previous solution, as it allows for centralised management, whereas, with PowerShell, I have to push the script out to the workstations somehow.

Here are the instructions on creating the Group Policy Preferences Environment Variable:

1. Create a new GPO (or edit one that has user settings)
2. Go to User Config -> Preferences -> Windows Settings -> Environment
3. Create a new Environment variable
4. Action: Update
   Select: User Variable
   Name: UPN
   Value: %_UPN%
5. Click the Common tab.
6. Enter a description: “Create an environment variable called UPN and populate it with the UserPrincipalName attribute for the user, as held in Active Directory.”
7. Tick “Item-level Targeting” and click “Targeting…”
8. Select New Item -> LDAP Query
9. Filter: (&(objectClass=user)(sAMAccountName=%USERNAME%))
   Binding: LDAP:
   Attribute: userPrincipalName
10. Environment variable name: _UPN
11. Click OK, OK

You can then reference the environment variable subsequent scripts that run after the GPO has applied.

It may be possible, by using multiple filters, to build a variable from different Active Directory attributes, but I haven’t tried this.