Edit all users UserPrincipalName through PowerShell for DirSync & Office 365


While catching up with a good friend yesterday we were talking about implementing DirSync and ADFS for their Office 365 for education deployment.

If we want to be able to log into Office 365 with our domain name such as @bfcnetworks.com we need to have this set in our users Active Directory UserPrincipalName attribute.

Over the years, many people have configured their domain FQDN to something like bfc.local rather than use their external domain name.

As we look more into cloud services and Windows Azure Active Directory we see that the requirement to use DirSync and your own domain name (rather than bfcnetworks.onmicrosoft.com) requires local Active Directory changes.  The process below will show you how to add an additional domain and then a PowerShell command to get all users using the bfc.local UserPrincipalName and change it to @bfcnetworks.com

Part 1: Add FQDN to Active Directory

Log onto your Active Directory Domain Controller and open Active Directory Trusts and Domains.  Right click on  Active Directory Domain and Trusts which will open the below property box and type the domain name you want to use in Windows Azure Active Directory


Part 2: PowerShell command to change UserPrincipalName

There are 2 section to this single line of PowerShell.  The first is that it will get all the users that has @bfc.local in their UserPrincipalName.  The second section will then set search users UserPrincipalName to their SAMAccountName + @bfcnetworks.com

get-aduser -filter {UserPrincipalName -lie “*@bfc.local”} | foreach {set-aduser -identity $_.SAMAccountName -UserPrincipalName ($_.SAMAccountName + “@bfcnetworks.com”)}

You may want to schedule this to run over 3 hours just before your DirSync runs to ensure all your users do have the right FQDN in their UserPrincipalName before being synced with Windows Azure Active Directory & Office 365

How should your school be managing its Active Directory


So far in our series of best practice implementation for your school network we have had a look at how to use the administrative accounts securely, service accounts, computer naming schemes and server naming schemes.  Over the next few posts we are going to look into Active Directory, Exchange and then SQL Server and how we can make some simple changes to the structure that can help your job a lot easier in supporting the users and managing your environment.

In this post we are going to look at Active Directory and I already know that a lot of you are going to see this post and think ‘doesn’t everyone already do this’.  You’ll be surprised in the number of ICT Support team who implement this simple Active Directory structure for there school and then keep it up to date.

There are 3 main different types of objects for you to manage for your school.  These are users, groups and computers.


I’ve seen some very well implemented and up to date Active Directory and I’ve also seem some that have no implementation through at all and the update ones also have the right structure to support their user base.  I connected to a school recently that kept all their users in the built in User Organisation Unit in Active Directory with all their groups.  The school was around 1,100 students and they had over 3,000 accounts.

The best way to separate your users is to use Organisational Units also know as OUs, they have been designed for you to separate your organisation into what ever structure that suits you.

I always start with a top level Organisation Unit that is the school name or some kind of Prefix of the school.  I now know that everything is below this OU and I can easily find it.

Create 3 new OUs called Users, Groups and Computers.


In any school we have teachers and students, again separate these by create to new OUs under Users.  You may also have other users in your network to all parents/family members and governors, create an OU for each of these.


You can separate your staff into different organisation if you want such as teaching staff, admin staff for example but that’s for you to decide and how you want to manage those groups.  For now we’ll continue with students.

We now need to split our students into different OUs which will be the year they join the school in year 7.  This is most common in schools I visit.  When a new students starts in Year 9 they are still added to the OU that presents the year they would have started in Year 7.  Create an OU for each year group.



You may think there are only a few groups needed in your school and depending on the other services you offer in the school you may be right but we still need to manage these.  Under your Groups OU you will want to create OUs to separate students groups and teaching groups such as departmental groups so each department have a group, each year will have a group and of course an all staff group.


Your All Student groups doesn’t have to have each student in it.  Instead add all the year groups in instead so you only have to manage one group for each user instead of two.



Groups Policies play an important part in your security and configuration of your network.  Some use it to deploy software to computers but to do this you need to be able to manage licenses so creating OUs for each classroom can help.  Consider this part to be a break down of your school by location.  If you have two builders start off with these and break it down to floors and rooms.



3rd Party Tool

I’m very proud to have worked with SalamanderSoft in the past on the Learning Gateway Conference.  They have a tool that can manage all this for you, create security groups based on your timetable and add and remove students and staff as and when they leave the school.  I highly recommended this product. http://www.salamandersoft.co.uk/.  The product doesn’t do Computers but it will save you a lot of time with managing user accounts and groups.