How to Use PowerShell to Fix Duplicate User Principal Name for On-Premises Active Directory Users
Windows Azure AD ScriptBox Item
This script enables you to export Active Directory users that have duplicate or empty user principal names.
After correcting the email addresses for these groups, you can use this script to import them to the AD.
Problem 1
In Microsoft Office 365, an administrator receives the following email message warning when directory synchronization finishes:
| From: | MSOnlineServicesTeam@MicrosoftOnline.com |
| Subject: | Directory Synchronization Error Report |
The error report in the email message may contain one or more of the following error messages:
- A synchronized object with the same proxy address already exists in your Microsoft Online Services directory.
- Unable to update this object because the user ID is not found.
- Unable to update this object in Microsoft Online Services because the following attributes associated with this object have values that may already be associated with another object in your local directory.
This issue may occur if mail-enabled objects in the on-premises Active Directory Domain Services (AD DS) have duplicate or invalid values, and these user objects are not synchronized from the AD DS to Office 365 correctly during directory synchronization.
Problem 2
If OnRAMP autocheck finds that duplicate values exist in your on-premises Active Directory, you will get a table-separated values file that contains these objects.
Here is an example of this file.
Solution
This script enables you to export Active Directory users with duplicated user principal names.
After correcting the attributes for these users, you can use this script to import them to your on-premises Active Directory.
The following procedure describes how to remove duplicate email addresses by using this script.
After downloading the script package, you need to extract all the files to a folder on a domain joined computer - for example: c:\script.
Run the Import-Module cmdlet to import this module file:
001
Import-Module filepath\FixDuplicateUserPrincipalName.psm1 Run the following command if you want to read the help of this function:
001
Get-Help Export-OSCADUserPrincipalName -Full Run one of the following commands to export mail-enabled groups that have duplicate email address to a comma-separated value (CSV) file.
If you don’t know how to get duplicate user principal name from Directory Synchronization Error Report, please refer to “How to get Duplicate User Principal Name from Directory Synchronization Error Report” in this article.- If you get duplicate user principal name from Directory Synchronization Error Report, please run this command:
001
Export-OSCADUserPrincipalName -UserPrincipalName "jdoe@corp.contoso.com" -Path .\outputs.csv - If you have an OnRamp autocheck results file, please run this command:
001
Import-Csv .\OnRamp_Duplicates.txt -Delimiter `t | ?{$_.AttributeName -match "userprincipalname"} | Select-Object -ExpandProperty Value -Unique | Export-OSCADUserPrincipalName -Path .\outputs.csv
- If you get duplicate user principal name from Directory Synchronization Error Report, please run this command:
When you get the output file, make a copy of this file and rename it with a new name, for example, inputs.csv.
Then set the original output file as read-only.
You can use the original output file to restore the old values of user principal name in case something goes wrong.Refer to “How to Edit the Input File” later in this article for the steps to edit the input file.
Run the following command to import new user principal names:
001
Import-OSCADUserPrincipalName -Path .\inputs.csv
The following procedure describes how to roll back the changes by using this script.
- Run the Import-Module cmdlet to import this module file:
001
Import-Module filepath\FixDuplicateUserPrincipalName.psm1 - Run the following command to import the original values of attributes.:
001
Import-OSCADUserPrincipalName -Path .\outputs.csv
Note
Running the scripts should be possible from any domain joined PC running Win7, Server 2008, or above.
The .NET Framework including PowerShell is the desired interface.
We suggest you run these scripts logged on as a user that is a member of Enterprise administrators group or with sufficient permission to modify objects in all domains in the forest.
The output file contains an objectGUID column.
The objectGUID attribute value of an Active Directory object is converted to a Base64 string in this column.
It can help you to determine the account(s) that did not sync.
Match the objectGUID from the Directory Synchronization Error Report mail with the object returned in outputs.csv.
Note
When you run script, you might see the following error message:
“Import-Module: File path\scriptname.psm1 cannot be loaded because running scripts is disabled on this system. For more information, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170.”
If you receive this error message, please change the execution policy to Unrestricted by running this command:
| 001 |
Set-ExecutionPolicy Unrestricted |
How to Get Duplicate User Principal Name from Directory Synchronization Error Report
Office 365 Administrators may receive a Directory Synchronization Error Report that contains following table.
In the error description, you can find the user principal name in this format “AttributtName UserPrincipalName”.
In this example, UserPrincipalName is the attribute name.
jdoe@contoso.onmicrosoft.com is the duplicate user principal name that is required by Export-OSCADUserPrincipalName.
The following errors occurred during synchronization:
| Identity | John Doe |
| Error Description | Unable to update this object because the following attributes associated with this object have values that may already be associated with another object in your local directory services: UserPrincipalName jdoe@contoso.onmicrosoft.com;. Correct or remove the duplicate values in your local directory. Please refer to http://support.microsoft.com/kb/2647098 for more information on identifying objects with duplicate attribute values. |
| On-premises object ID/strong> | AIQwHQkEh0CPbndzfrBSNQ== |
How to Edit the Input File
After running Export-OSCADUserPrincipalName, you can make a copy of the output file and rename it with a new name, for example, *inputs.csv.
*Then you can open the input file with Notepad. Because the DistinguishedName column may contain a long text, you need to turn off word wrap in Notepad.
Here is an example of the input file:
In thisexmple, Jane Doe has been erroneously given a UPN jdoe@corp which conflicts with the UPN of another user. To resolve this, n this example, you need to replace the duplicate user principal name “jdoe@corp.contoso.com” in the UserPrincipalName column. You need to decide which user object should own which UPN (e.g. let Jane Doe have a UPN of Jane@corp, or perhaps make John doe use JohnD@corp and make Jane use JaneD@corp, etc.
Having made that decision you need to update the input file to reflect those decisions. Here is the input file after removing the duplicate user principal name:
Script Code
| 001 002 003 004 005 006 007 008 |
if ($Credential -ne $null) { $networkCred = $Credential.GetNetworkCredential() $ldapDirectoryIdentifier = New-Object System.DirectoryServices.Protocols.LdapDirectoryIdentifier($targetDomainFqdn, 3268) $ldapConnection = New-Object System.DirectoryServices.Protocols.LdapConnection($ldapDirectoryIdentifier,$networkCred) } else { $ldapDirectoryIdentifier = New-Object System.DirectoryServices.Protocols.LdapDirectoryIdentifier($targetDomainFqdn, 3268) $ldapConnection = New-Object System.DirectoryServices.Protocols.LdapConnection($ldapDirectoryIdentifier) } |
See Also
- Fix Duplicate User Principal Name for On-premises Active Directory Users
- PowerShell Portal
- Wiki: Portal of TechNet Wiki Portals
 Note |
|---|
| To provide feedback about this article, create a post on the Windows Azure AD TechNet Forum. For more FIM related Windows PowerShell scripts, see the Windows Azure AD ScriptBox  |