Problem solve Get help with specific problems with your technologies, process and projects.

Creating one password for both local and Microsoft Outlook user accounts

SearchExchange.com expert Richard Luckett explains how to create a single password for both local and Microsoft Outlook accounts in a forest with one root domain and several child domains.

I have Exchange 2003 and one forest with one domain controller, abc.com, and six child domains, lyn.abc.com, wny.abc.com, queens.abc.com and so on. All my users log into their own local domain (for example: lyn.abc.com). They use Microsoft Outlook to log onto our Exchange server with the login:

Username: cuser@abc.com
Domain: abc.com
Password: password

We want to have one password for their local accounts and Microsoft Outlook accounts. This works fine in the abc.com location because the server is in abc.com. It does not need to authenticate to the server manually, and they can change their own passwords for Windows and Exchange Server. We would like to do the same for our child domains. Do you have any suggestions?

You have actually created a problem by generating separate user accounts (one for their mailboxes and another for their domain). In a single Active Directory forest, this is not necessary regardless of the number of trees and domains.

There is a tool that can help you out here; it is called the Active Directory Account Cleanup Wizard. It is included with the Exchange System Tools on the Exchange Server 2003 CD. When you run this tool, it will help you identify duplicate accounts and then let you merge them together into one account. Be careful that the target account is the one in the user's domain. Once the two accounts are merged, then you can use a single username and password.

It is possible to change the User Principal Name (UPN) suffix of you child domains' user accounts to be the same as the root domain. In fact, you can change it to be whatever you like. However, it will not change the actual domain they are in. If your users log on using their UPN (what looks like their email address), then the Domain field should be grayed out. In fact, Windows XP Professional doesn't even have a Domain field with its logon so the domain can be transparent to the end user.

Do you have comments on this Ask the Expert Q&A? Let us know.

Related information from SearchExchange.com:

  • Expert Advice: Deploying Exchange Server on the parent domain controller
  • Expert Advice: Synchronizing two Active Directory domains
  • Tip: Pros and cons of multiple Exchange Server organizations
  • Reference Center: Active Directory tips and resources
  • Reference Center: Exchange Server permissions and authentication
  • Dig Deeper on Exchange Server setup and troubleshooting

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.