Why can a user log in via more than one UPN?

Solution 1:

Ryan and Joe's comments above are on target. It sounds like your users are logging in with their Implicit UPNs. Is your domain's FQDN us.mycompany.local?

In Active Directory, each user has two UPN's:

  1. Explicit UPN (eUPN): This is the value of the user object's userPrincipalName attribute. This can be changed to any value, regardless of any alternate UPN suffixes you have configured in the forest.

  2. Implicit UPN (iUPN): This is constructed by concatenating the value of the user object's samAccountName attribute with the value of the domain's FQDN. The FQDN is stored as the value of the dnsRoot attribute of the domain's crossRef object stored at LDAP://CN=DOMAIN_NETBIOS_NAME,CN=Partitions,CN=Configuration,DC=DOMAIN)

Jorge de Almeida Pinto, a DS MVP, has a series of posts that go into much more detail:

  • https://jorgequestforknowledge.wordpress.com/2010/10/12/user-principal-names-in-ad-part-1
  • https://jorgequestforknowledge.wordpress.com/2010/10/12/user-principal-names-in-ad-part-2
  • https://jorgequestforknowledge.wordpress.com/2010/10/12/user-principal-names-in-ad-part-3

EDIT 1:

It's also worth noting that the eUPN "wins" if there is a conflict. For example, consider the following (albeit ridiculous) scenario:

  • Domain name: example.com
  • User1's samAccountName: user1
  • User2's userPrincipalName (eUPN): [email protected]

If you attempt to login using the username [email protected], you will be logged in as User2. However, if you change User2's userPrincipalName to anything else, you would be signed in as User1.

EDIT 2:

More info per MS: MSKB929272: Interactive logon styles and Key Distribution Center account lookup in Windows Server 2003