Compare UserPrincipalName and Primary Email Address in Active Directory and Flag Discrepancies
Compare UserPrincipalName and Primary Email Address in Active Directory
Section titled “Compare UserPrincipalName and Primary Email Address in Active Directory”This script retrieves all Active Directory users along with their properties such as proxy addresses, userPrincipalName, and last logon timestamp. It compares each user’s userPrincipalName (UPN) with their primary email address (extracted from the proxyAddresses field). If the primary email and UPN differ, the script flags the user by adding a ChangeUPN property. The script also calculates and formats the LastLogonTimeStamp for each user. It includes optional logic to update UPNs, but this part is currently commented out.
Script Overview
Section titled “Script Overview”Ideal for: Active Directory administrators maintaining user identity consistency
Key Features
Section titled “Key Features”| Feature | Capability | Business Value |
|---|---|---|
| UPN-Email Comparison | Identifies discrepancies between UPN and primary email | Ensures identity consistency |
| User Flagging | Marks users requiring UPN updates | Simplifies remediation process |
| Timestamp Formatting | Converts file time to readable format | Better user activity tracking |
| Selective Processing | Includes exclusion logic for specific users | Flexible deployment options |
Script Implementation
Section titled “Script Implementation”#$exclude = "DiscoverySearchMailbox {D919BA05-46A6-415f-80AD-7E09334BB852}","Administrator","Public Folder"
$allUsers = Get-ADUser -f * -SearchBase "CN=Users,DC=XXX-Forest,DC=local" -Properties proxyAddresses,mail,userPrincipalName,lastlogontimestamp
$Property = $allUsers | Get-Member -Type Property |Where-Object Name -ne "LastLogonTimeStamp"|Select-Object -ExpandProperty Name$Property += @{Name="LastLogonTimeStamp";Expression={([datetime]::FromFileTime($_.LastLogonTimeStamp))}}$allUsers = $allUsers | Select-Object -Property $Property#$AllUsersToChangeUPN = @()
$allUsers | ForEach-Object {# if($_.name -notin $exclude){
$UPN = $_.userPrincipalName $PEmail = $_.proxyAddresses | Where-Object {$_ -CLike "SMTP:*"} if($PEmail) { $PEmail = ($PEmail.split(':'))[1] if($PEmail -ne $UPN) { #Write-Host "UPN: $UPN diffent then Email: $PEmail"
#$AllUsersToChangeUPN += $_
$ChangeUPN = $true } else { $ChangeUPN = $false } }# }
$_ | Add-Member -Name 'PrimaryEmail' -Value $PEmail -MemberType NoteProperty $_ | Add-Member -Name 'ChangeUPN' -Value $ChangeUPN -MemberType NoteProperty}
<#$AllUsersToChangeUPN | ForEach-Object { $PEmail = $_.proxyAddresses | Where-Object {$_ -CLike "SMTP:*"} $_ | Set-ADUser -UserPrincipalName $PEmail -WhatIf}
$allUsers = Get-ADUser -f * -SearchBase "CN=Users,DC=xxx-Forest,DC=local" -Properties lastlogontimestamp,proxyAddresses,mail,userPrincipalName$Property = $allUsers | Get-Member -Type Property |Where-Object Name -ne "LastLogonTimeStamp"|Select-Object -ExpandProperty Name$Property += @{Name="LastLogonTimeStamp";Expression={([datetime]::FromFileTime($_.LastLogonTimeStamp))}}$allUsers = $allUsers | Select-Object -Property $Property
$Now = Get-Date$date = $Now.AddMonths(-8)$allUsers | Where-Object LastLogonTimeStamp -lt $date | Where-Object Enabled | ft -AutoSize Name,LastLogonTimeStamp,Enabled#>Configuration Requirements
Section titled “Configuration Requirements”Prerequisites
Section titled “Prerequisites”| Component | Requirement | Purpose |
|---|---|---|
| Active Directory Module | ActiveDirectory PowerShell module | Access AD user properties |
| AD Admin Rights | Read permissions on user objects | Access user attributes |
| Search Base Configuration | Correct OU/Domain path | Target specific user containers |
Configuration Parameters
Section titled “Configuration Parameters”| Parameter | Example | Description |
|---|---|---|
| SearchBase | "CN=Users,DC=contoso,DC=local" | Target OU for user search |
| Exclude List | System accounts, service accounts | Users to skip during processing |
Script Logic Flow
Section titled “Script Logic Flow”Processing Steps
Section titled “Processing Steps”-
User Retrieval
- Get all AD users from specified SearchBase
- Include required properties for comparison
-
Property Preparation
- Add formatted LastLogonTimeStamp
- Prepare user objects for processing
-
UPN-Email Comparison
- Extract primary email from proxyAddresses
- Compare with userPrincipalName
- Flag discrepancies with ChangeUPN property
-
Optional Updates
- Commented code for UPN updates
- Includes WhatIf safety testing
Data Analysis
Section titled “Data Analysis”Comparison Logic
Section titled “Comparison Logic”| Field | Source | Comparison Target |
|---|---|---|
| UserPrincipalName | AD user attribute | Primary email address |
| Primary Email | proxyAddresses (SMTP:*) | UserPrincipalName |
| ChangeUPN Flag | Boolean result | Indicates mismatch |
Output Properties
Section titled “Output Properties”| Property | Description | Usage |
|---|---|---|
| PrimaryEmail | Extracted primary SMTP address | Comparison reference |
| ChangeUPN | Boolean flag for mismatches | Remediation targeting |
| LastLogonTimeStamp | Formatted timestamp | Activity analysis |
Usage Scenarios
Section titled “Usage Scenarios”1. Identity Consistency Audit
Section titled “1. Identity Consistency Audit”- Identify UPN-email mismatches
- Plan UPN standardization projects
- Ensure proper user identity alignment
2. Migration Preparation
Section titled “2. Migration Preparation”- Prepare for Azure AD Connect sync
- Validate user identity format
- Pre-migration cleanup operations
3. Security Compliance
Section titled “3. Security Compliance”- Ensure consistent user identification
- Support single sign-on implementations
- Maintain directory hygiene
Conclusion
Section titled “Conclusion”Key Takeaway: This script provides essential visibility into UPN-email consistency, enabling administrators to maintain proper user identity standards and support various directory synchronization and authentication scenarios.