Hidden Alternate Suffix in Active Directory?
I was working with Active Directory a couple of days ago and discovered something very interesting. I created a user account using a VB script. I mistyped the domain name in the UPN, which led to this discovery. First of all, here’s what the script looks like:
Set objUser=objOU.Create(“User”, “cn=BillG”)
objUser.Put “sAMAccountName”, “BillG”
objUser.ChangePassword “”, “P@ssw0rd”
objUser.Put “userPrincipalName”, “BillG@bogus.com”
Notice the domain I used in the UPN “BillG@bogus.com“. When I created the account, I was able to logon as that account. The user account Properties showed that the UPN is BillG@bogus.com. It looked like bogus.com was an alternate suffix because the dropdown box listed both the nwtraders.msft domain and the bogus.com domain. However, I verified that bogus.com was NOT listed as an alternate suffix in AD Domains and Trusts.
What’s interesting is that I can logon as the UPN BillG@bogus.com and continue to work fine but as soon as I logon with the UPN BillG@nwtraders.msft once, it deletes the bogus.com entry in the user’s Property (account tab).
I am wondering if there’s a way to take advantage of this “hidden” alternate suffix as far as security is concerned. If you have any thoughts, I’ll love to hear them.