UPN suffixes set on an OU container are not limited by when creating a user in Directory and Resourc (NETIQKB20276)

fact
Directory and Resource Administrator 6.x

fact
Directory and Resource Administrator 7.x

symptom
UPN suffixes set on an OU container are not limited by when creating a user in Directory and Resource Administrator.

cause
Directory and Resource Administrator uses the UPN Suffixes supplied at the forest level, while native tools will use a UPN suffixes set at the OU level if one exists.

fix

Using native tools (ADSI Edit), you can set the UPN Suffix (uPNSuffixes property) on an OU container.   When the uPNSuffixes is set on an OU container and a user tries to create a new user account using Active Directory Users and Computers in that OU, the drop down for the UPN suffixes is limited to the value defined for the OU only.

If you use Directory and Resource Administrator (DRA) 7.0 sp1 or prior to create a new user in the same OU, the UPN choices available are those defined for the whole forrest and are not limited to the UPNSuffixes defined for the OU.  DRA 7.5 now behaves the same as native tools and limits the UPN suffixes available to be the UPN suffixes defined for the OU. 

Some potential workarounds prior to DRA 7.5 are:

• Use a script with a post-task trigger to set the UPN value after the account is created.  This would require a different ActiveView and associated script for each OU.  
• Use a custom Policy that would only allow the creation of the account if it matched the OU UPN Suffix name.  Again, this would require a policy and Activeview for each OU. 

note
DRA 7.5 allows the ability to multiselect user accounts and modify common properties.  If multiple users are selected from OUs that do not have a common UPN suffix, you will not be able to update that field as a batch operation.

Formerly known as NETIQKB20276