Florian’s Blog

I’ve been playing with Exchange 2010 the last couple of days and was forced to do some test-migration of Ex2003 mailboxes. This is a test environment so not all data for users and computers was created accurately during object creation when filling the test directory with users to play with.

I noticed that as Exchange 2010, when trying to move a user’s mailbox from 2003 to 2010 threw an error message at me:

Hum - fancy error message, really. …a user property that needs to contain an @… pretty specific. It could at least have said what property it was. Nasty. Well, thinking about user attributes containing an @ sign, the only thing I thought could relate to Exchange and the mailbox was the userPrincipalName (sAMAccountName@domain.tld for example — http://msdn.microsoft.com/en-us/library/ms680857(VS.85).aspx). I check with the user’s properties and indeed, it was empty:

Well, the attribute was at least filled with the sAMAccountName as seen in ADSIEdit:

Okay - selecting a UPN from the dropdown list from the user properties and re-running the New-MoveRequest CMDlet worked like a charm. Exchange seems to not like that. I’m gonna investigate on this at a later time.

Since I knew what the culpit was, I needed some scripting that would (a) check my users for a set userPrincipalName attribute and (b) set it if it isn’t set.

ADfind and ADMod (http://www.joeware.net) to the rescue! I’ve found a command that would work pretty well for me:

C:\>adfind -b OU=Users,OU=Management,OU=HQ-Waldshut,DC=intern,DC=frickelsoft,DC=net -f "(&(objectClass=user)(objectCatego
ry=person)(!userPrincipalName=*@*))" userPrincipalName -adcsv | admod "userPrincipalName::{{userPrincipalName}}@intern.
frickelsoft.net" -upto 1

What looks weird is actually quite simple. The first part before the pipe (|) symbol is my ADfind query to find the users in question. Since I only wanted Management-users, I set the base (-b) to the corresponding OU.  The filter is set to only search for user objects ‘&(objectClass=user)(objectCategory=person)’ AND objects, that DO NOT have a userPrincipalName pattern like *@* (!userPrincipleName=*@*) — which means that somewhere in the name is an @. That’s why Exchange complained. I’ll have it output the userPrincipalName it found and format it (-adcsv) in a way I can use it with ADMod. ADMod takes the found objects and their userPrincipalNames and changes it to <whatever it currently is> + “@intern.frickelsoft.net” which is the UPN used for most accounts. Finally, you see I tested this with the ‘-upto 1′ switch that protects me from being an idiot and only modifies one single object. Once I new it does what it was supposed to, I updated the -upto switch to ‘250′, as I knew that there were about 220 objects I needed to change. If you leave the upto-switch away and have more than 10 candidates to modify, ADMod answers with a warning message. You either have to specify a max value with -upto or use the -unsafe switch to have it modify whatever the number of targeted objects might be (=all that match the ADfind search).

Finally, Exchange would migrate my users :-)

Notes:

- Yeah, I know, I could have selected multiple users and assigned them a UPN all at once. But where’s the fun here?

- Yeah, I know, that must have been a crappy import/export to the test system that I had to manually set the UPN now. It was a self-made script I already ‘adjusted’ so that will never happen again :-)