Dealing With CalNetID Changes

Created: 01/29/2003 Version 1.01

I. Overview
II. Dealing with CalNetID changes to accounts in your OU
III. Procedure

I. Overview

Faculty, staff, and affiliate CalNet IDs can be changed to a self-selected ID from the CalNet website. The new self-selected ID is automatically synchronized overnight with Active Directory. If this overnight processing delay is acceptable, then nothing else needs to be done. However, if there is a need to immediately use the self-selected ID before the automatic nightly process, an OU administrator can make a manual synchronization of the user attributes in Active Directory.

This page provides some guidelines on the options for dealing with the transition from one CalNetID to a new ID for a CalNet Active Directory CalNetAD) account that is already under the control of a local Organizational Unit (OU).

Before proceeding, verify that you have everything that you need:

• a valid OU administrator account and password

• Windows 2000 Server Support Tools installed on your machine.

• Active Directory Users and Computers mmc console

II. Dealing with CalNetID changes to accounts in your OU

Following one of your user's changing to a new CalNetID via the CalNet website, the shadow account in CalNetAD will automatically be updated by the nightly integration process between the CalNet Directory and Active Directory. The new CalNet ID information should be available by the morning of the next day after the change was made.

However, an OU administrator could opt to provide accelerated access to the CalNetID change by manually updating three user account attributes: 1) sAMAccountName, 2) userPrincipalName, and 3) altSecurityIdentities.

If these three attributes are correctly updated, logons using the new CalNetID and passphrase will work immediately. The automatic CalNet Directory synchronization process does not modity the CalNet Active Directory "cn" attribute (except in the case of student accounts which normally would not be under control of an OU administrator). Thus the "cn" attribute can be modified as needed for local OU administrative purposes. The "cn" value is the name that appears labeled as "Full name" within the MMC admin tools and in directory browsing by CalNetAD users.

Below is an example of the attributes that need to be manually updated, should that option be selected, for a user who has changed his CalNetID from '1234567890' to 'mynewid'. The attribute name is listed in red, the attribute name label as displayed in the mmc tool is displayed in blue.

III. Procedure

This procedure assumes the operator has administrative privileges for the user account requiring update of the attributes containing CalNetID information.

1. Open the Active Directory Users and Computers MMC tool.

2. Select the user account in the appropriate OU and double click on the user account.

3. Select the Account tab in the <user> Properties screen.

4. Change the User logon name and User logon name (pre-Windows 2000) to the users new CalNet ID.

   

5. Select the OK button to close the Properties dialog.

6. Select the View pull-down menu and verify that Advanced Features is checked.

   

7. Right click on the user account and select Name Mappings from the menu.

8. Select the Kerberos Names tab from the Security Identity Mapping screen.

   

9. Select the Edit button and enter the <mynewid>@BERKELEY.EDU. 'BERKELEY.EDU' must remain capitalized for Kerberos to work properly.

10. Select the OK button to close the edit dialog.

    

11. Select the OK button to close the Security Identity Mapping dialog.

12. Close the Active Directory Users and Computers MMC tool.

13. The user should now be able to logon with a username of <mynewid>@BERKELEY.EDU. The password is the CalNet ID passphrase. The Domain field should be grayed out.