As noted in Microsoft's article cc728188(WS.10) What is the Global Catalog, a UPN is:
A user principal name (UPN) is a logon name that takes the form of an e-mail address. A UPN specifies the user ID followed by a DNS domain name, separated by an "@" character (for example, firstname.lastname@example.org). UPNs allow administrative management of the UPN suffix to provide logon names that:
- Match the user’s e-mail name.
- Do not reveal the domain structure of the forest.
When a user account is created, the UPN suffix is generated by default as userName@DnsDomainName, but it can be changed administratively. For example, in a forest that has four domains, the UPN suffix might be configured to map to the external DNS name for the organization. The userPrincipalName attribute of the user account identifies the UPN and is replicated to the global catalog.
When you use a UPN to log on to a domain, your workstation contacts a global catalog server to resolve the name because the UPN suffix is not necessarily the domain for which the contacted domain controller is authoritative. If the DNS domain name in the UPN suffix is not a valid DNS domain, the logon fails. Assuming the UPN suffix is a valid DNS name, the global catalog server returns the name of the Active Directory domain name to your workstation, which then queries DNS for a domain controller in that domain.
If a company has more than one forest and uses trust relationships between the domains in the different forests, a UPN cannot be used to log on to a domain that is outside the user’s forest because the UPN is resolved in the global catalog of the user’s forest.
To set up a filter to find the UPN:
- Select Authentication > Auth. Servers > LDAP Server...
At Finding user entries specify the following syntax, and save changes.
Note: “|” is the OR operator.