Active Directory user names: why does the canonical name vary? Can I do something to make them uniform?

windows-server-2003 active-directory windows-server-2008-r2

14,645

Solution 1

Active Directory does not really concern itself with how the User account object's RDN (the last part of the Canonical Name) relates to other properties like the Display Name or the Logon Name - as long as the value of each individual attribute doesn't violate the schema definition.

The behavior of the "New User" form in Active Directory Users and Computers (as well as a number of other dialogues) has changed significantly between Windows Server 2003 and Windows Server 2008 R2 - and that's probably why they're not consistent

You can use PowerShell to move the non-system accounts, and then go through the users and rename them to whatever their Display Name is:

# Create new OU named RegularUsers
New-ADOrganizationalUnit -Name RegularUsers -Path "dc=domain,dc=com"

# Retrieve all users that are not critical system objects
$users = Get-ADUser -SearchBase "CN=Users,DC=domain,DC=com" -SearchScope OneLevel -Filter {-not(isCriticalSystemObject -like '*')}

# Go through each and move to the new OU
foreach($user in $users){
    Move-ADObject $user -TargetPath "OU=RegularUsers,DC=domain,DC=com"
}

# Retrieve all users in the new OU
$movedUsers = Get-ADUser -SearchBase "CN=Users,DC=domain,DC=com" -SearchScope OneLevel -Filter '*'

foreach($user in $movedUsers){
    # Test if Display Name and object Name is the same, if not - rename
    if($user.DisplayName -ne $user.Name)
    { 
        Rename-ADObject $user -NewName "$($user.DisplayName)" 
    }
}

For the first step, you could also just highlight all the user accounts in ADUC and drag-n-drop them to another location.

Solution 2

The CN/DN of an object is not all that relevant, as it is only used internally by AD and in LDAP queries; end users (and administrators) very rarely get to even see it. It actually changes on its own when you move objects around, because it includes the full LDAP path of the object.

If you want to standardize it, this can be done without any side effects; the only thing users are actually concerned with is their logon name, and as long as you don't change that, they will continue to log on as usual.

To change it, you can either use the ADUC console, or the PowerShell command Rename-ADObject.

Solution 3

The dsmove command should be able to change the canonical name for you. I've done this in test environments but never in live environments so I would advise proceeding with caution.

Also, semi-related, I would advise implementing another domain controller to avoid a headache should your only DC go down.

14,645

evilspoons

Updated on September 18, 2022

Comments

evilspoons over 1 year
I am a self-taught administrator of a work Active Directory network used for Windows logins on ~30 PCs. I inherited the system from someone else who also didn't have any direct Microsoft training and as a result I am in the dark on a couple things.

The network itself has a single Windows Server 2008 R2 machine acting as domain controller, DNS, file shares, etc. Logins work fine, but I was poking around the list of users while disabling old accounts and I noticed something I don't quite understand.

Here are a couple sample user accounts:
1. Logon Name: john
  First Name: John
  Last Name: Smith
  Display Name: John Smith
  Canonical Name of Object: domain.com/Users/john
2. Logon Name: bob
  First Name: Bob
  Last Name: French
  Display Name: Bob French
  Canonical Name of Object: domain.com/Users/Bob French
The current domain controller was swapped in from another one that used to run Windows Server 2003. The first sample account was created when the Server 2003 box was DC, the second was created when the newer Server 2008 R2 box was DC. Why is the Canonical Name different, and does it make any difference?

I'm mostly annoyed by the fact that my users list in the active directory browser has half the accounts as 'firstname' and half as 'firstname lastname'.

Can I do something to make all of them the same without breaking working accounts?
- Mathias R. Jessen about 10 years
  
  Do you actually store the users in the domain.com/Users OU? Or is it just an example?
- evilspoons about 10 years
  
  Yes - they are all in domain.com/Users/ along with a number of security groups. Is this bad practice? Should I move them? Can I move them without wrecking everything?
- Massimo about 10 years
  
  It depends on how many objects are in your AD and on how you want them organized; generally, it's better to place them in OUs to better organize them and apply GPOs to them, and it's considered best practice to leave the default containers (such as "Users" alone).
evilspoons about 10 years

If the domain & forest's functional level is at Server 2008 R2, can the old Server 2003 box act as a secondary DC or do we need to upgrade that machine's OS?
Massimo about 10 years

You can't raise the domain/forest functional level to version X unless all DCs in the domain/forest have at least that OS release.
Steve Butler about 10 years

I'd say CN/DN is important when it comes to integrating with applications. AD integration is usually not found, where LDAP usually is. It's nice to have your CN/DN follow a standard. It looks prettier too :) Great information on how to actually change it though.
Steve Butler about 10 years

@evilspoons yes, you can, but as massimo says, it will have to be at a 2003 Domain level in order to do that.
Mathias R. Jessen about 10 years

@SteveButler Since DFL/FFL 2008R2 can't be reverted further than level 2008, "yes" is definitely not the answer here
evilspoons about 10 years

Alright, so my options are rebuild the domain at a 2003 level (not going to happen) or upgrade the 2003 box to 2008 R2 (also probably not going to happen, my boss would sooner spend the money on a new machine than play with an old one). I'll make extra sure our backups are good though, just in case something DOES die...
Dan Krueger over 2 years

I just wanted to add a supplemental to this post. This was a difficult thing to do on a Server 2016. I'm not sure if the parameters changed, but the key was that the identification for the user with the name was difficult to find. In my case, the user's name was changed/account assigned. Using the above steps in a powershell I retrieved the userinfo with "Get-ADUser -Identity 'theusersloginid' -Properties *" Then in this list I found the DistinguisedName property. I was able to feed this to c:\>Rename-ADObject -Identity "theDistinquishedName" -NewName "TheUsersNewName"