AD Attributes and their usage

TheMSsForum.com: The Microsoft Software Forum

I am trying to determine how each of the following four Active Directory
user attributes (Listed below) are used and any possible negative
consequnces on such a change. I have an Oracle to HR Sync program I have
written and we are now passing the display name to AD and obviously it isn't
that simple. I have had some success going through MSDN but I'm hoping
someone might have a complete definition of each of their uses.

Right now I don't see an issue of syncing the four attributes up so they all
are equivalent. Anybody who is familiar with these attributes please
provide any and all feedback.

displayName
displayNamePrintable
cn
name

Thanks for your time

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
Top

Re: AD Attributes and their usage by Austin

Austin
Thu Oct 18 08:22:07 PDT 2007

Hi Paul,
I guess it depends on what other apps will query these attributes and what
they expect to see but they always seem to contain identical values (except
displayNamePrintable which is not set).
I'd use the same value for all

Austin

"Paul Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote in message
news:%23QAAoOZEIHA.1204@TK2MSFTNGP03.phx.gbl...
>I am trying to determine how each of the following four Active Directory
>user attributes (Listed below) are used and any possible negative
>consequnces on such a change. I have an Oracle to HR Sync program I have
>written and we are now passing the display name to AD and obviously it
>isn't that simple. I have had some success going through MSDN but I'm
>hoping someone might have a complete definition of each of their uses.
>
> Right now I don't see an issue of syncing the four attributes up so they
> all are equivalent. Anybody who is familiar with these attributes please
> provide any and all feedback.
>
> displayName
> displayNamePrintable
> cn
> name
>
> Thanks for your time
>
> --
> Paul Bergson
> MVP - Directory Services
> MCT, MCSE, MCSA, Security+, BS CSci
> 2003, 2000 (Early Achiever), NT
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
>



Top

RE: AD Attributes and their usage by SteveB

SteveB
Thu Oct 18 09:01:00 PDT 2007


Name = This is the full name of the user. By default this will be the first
name plus Last Name (however, can be different if you want it to be) When you
create a user - this is set by the Full Name field. In addition, this is
the name you see displayed in Active Directory Users and Computers.

displayName - By default this is set to the same as the full name. This is
the name displayed in the Exchange Global Address List. Can be different
from the full name.

cn - this is the ldap common name for the user (required as part of LDAP
standard). Every objects in the directory must have a CN. This will be the
same as the full name. Makes up part of the Distinguished Name. Owned by the
System. Changes when the full name is changed.

displayNamePrintable - not used.


I would sync up the first three but not displayNamePrintable since I have no
knowledge of its use (unless someone can help here). It may be used in later
versions of AD - so to avoid issues later on I wouldn't use it.

Regarding the other three - I would personally make them the same.
Otherwise it could be hard to identity the user.

HTH


"Paul Bergson [MVP-DS]" wrote:

> I am trying to determine how each of the following four Active Directory
> user attributes (Listed below) are used and any possible negative
> consequnces on such a change. I have an Oracle to HR Sync program I have
> written and we are now passing the display name to AD and obviously it isn't
> that simple. I have had some success going through MSDN but I'm hoping
> someone might have a complete definition of each of their uses.
>
> Right now I don't see an issue of syncing the four attributes up so they all
> are equivalent. Anybody who is familiar with these attributes please
> provide any and all feedback.
>
> displayName
> displayNamePrintable
> cn
> name
>
> Thanks for your time
>
> --
> Paul Bergson
> MVP - Directory Services
> MCT, MCSE, MCSA, Security+, BS CSci
> 2003, 2000 (Early Achiever), NT
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
>
Top

Re: AD Attributes and their usage by Richard

Richard
Thu Oct 18 09:05:29 PDT 2007


"Paul Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote in message
news:%23QAAoOZEIHA.1204@TK2MSFTNGP03.phx.gbl...
>I am trying to determine how each of the following four Active Directory
>user attributes (Listed below) are used and any possible negative
>consequnces on such a change. I have an Oracle to HR Sync program I have
>written and we are now passing the display name to AD and obviously it
>isn't that simple. I have had some success going through MSDN but I'm
>hoping someone might have a complete definition of each of their uses.
>
> Right now I don't see an issue of syncing the four attributes up so they
> all are equivalent. Anybody who is familiar with these attributes please
> provide any and all feedback.
>
> displayName
> displayNamePrintable
> cn
> name
>
> Thanks for your time

The attribute with LDAP-Display-Name "Name" is actually the RDN attribute,
the Relative Distinguished Name of the object. For user objects, this is the
value of the "cn" attribute. If you change the value assigned to cn, by
renaming the object, the value assigned to Name will also change. The
documentation says that Name can only be updated by the Schema
Administrator. I interpret this to mean that the Schema Administrator
dictates which attribute is the RDN. For OU objects it is the attribute ou,
for user objects it is the attribute cn. In any case, you really only have 3
attributes to worry about. The values of cn and Name will always be the same
for user objects.

The value of cn must be unique in the parent container/OU and is mandatory.
I think the value of cn is limited to about 120 characters, and a few
possible characters must be escaped (like the comma, pound sign, and
backslash) with the backslash escape character. There are no restrictions on
displayName or displayNamePrintable, except a limit of a few thousand
characters.

I'm surprised sAMAccountName (pre-Windows 2000 logon name) is not on your
list, unless that is what you meant by Name. It can avoid confusion if the
values of cn and sAMAccountName are the same. sAMAccountName must be unique
in the domain, a few characters are not allowed, and the value is limited to
20 characters (for user objects).

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--


Top

Re: AD Attributes and their usage by Richard

Richard
Thu Oct 18 09:09:06 PDT 2007

The value shown in the field labeled "Name" in ADUC for users is the value
of the cn (Common Name) attribute, which is the RDN of the object.

When you say by default, what you mean is the GUI defaults to these values
when the user object is created in ADUC.

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--

"Steve B" <SteveB@discussions.microsoft.com> wrote in message
news:7C15353B-12EE-4CF4-B09E-1310446E9A6E@microsoft.com...
>
> Name = This is the full name of the user. By default this will be the
> first
> name plus Last Name (however, can be different if you want it to be) When
> you
> create a user - this is set by the Full Name field. In addition, this is
> the name you see displayed in Active Directory Users and Computers.
>
> displayName - By default this is set to the same as the full name. This
> is
> the name displayed in the Exchange Global Address List. Can be different
> from the full name.
>
> cn - this is the ldap common name for the user (required as part of LDAP
> standard). Every objects in the directory must have a CN. This will be
> the
> same as the full name. Makes up part of the Distinguished Name. Owned by
> the
> System. Changes when the full name is changed.
>
> displayNamePrintable - not used.
>
>
> I would sync up the first three but not displayNamePrintable since I have
> no
> knowledge of its use (unless someone can help here). It may be used in
> later
> versions of AD - so to avoid issues later on I wouldn't use it.
>
> Regarding the other three - I would personally make them the same.
> Otherwise it could be hard to identity the user.
>
> HTH
>
>
> "Paul Bergson [MVP-DS]" wrote:
>
>> I am trying to determine how each of the following four Active Directory
>> user attributes (Listed below) are used and any possible negative
>> consequnces on such a change. I have an Oracle to HR Sync program I have
>> written and we are now passing the display name to AD and obviously it
>> isn't
>> that simple. I have had some success going through MSDN but I'm hoping
>> someone might have a complete definition of each of their uses.
>>
>> Right now I don't see an issue of syncing the four attributes up so they
>> all
>> are equivalent. Anybody who is familiar with these attributes please
>> provide any and all feedback.
>>
>> displayName
>> displayNamePrintable
>> cn
>> name
>>
>> Thanks for your time
>>
>> --
>> Paul Bergson
>> MVP - Directory Services
>> MCT, MCSE, MCSA, Security+, BS CSci
>> 2003, 2000 (Early Achiever), NT
>>
>> http://www.pbbergs.com
>>
>> Please no e-mails, any questions should be posted in the NewsGroup
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>>
>>


Top

Re: AD Attributes and their usage by Paul

Paul
Thu Oct 18 10:06:15 PDT 2007

What I have learned since I have posted the initial question is that when
the Full Name (Name) is modified within ADUC, the attribute cn (Common Name)
is updated to be equivalent to Full Name. SteveB has reinforced this
finding with info that replicates my learned experience.

I'm confused on the sAMAccountName reference, I don't want to touch this at
all. Since this is the pre-windows 2000 logon attribute value, it is the
value users use to authenticate into our domain. Rarely does anyone use
their upn to authenticate, as a matter of fact it wouldn't surprise me to
learn if I was the only one who did use their upn.

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"Richard Mueller [MVP]" <rlmueller-nospam@ameritech.nospam.net> wrote in
message news:O%23P78CaEIHA.5208@TK2MSFTNGP04.phx.gbl...
>
> "Paul Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote in message
> news:%23QAAoOZEIHA.1204@TK2MSFTNGP03.phx.gbl...
>>I am trying to determine how each of the following four Active Directory
>>user attributes (Listed below) are used and any possible negative
>>consequnces on such a change. I have an Oracle to HR Sync program I have
>>written and we are now passing the display name to AD and obviously it
>>isn't that simple. I have had some success going through MSDN but I'm
>>hoping someone might have a complete definition of each of their uses.
>>
>> Right now I don't see an issue of syncing the four attributes up so they
>> all are equivalent. Anybody who is familiar with these attributes please
>> provide any and all feedback.
>>
>> displayName
>> displayNamePrintable
>> cn
>> name
>>
>> Thanks for your time
>
> The attribute with LDAP-Display-Name "Name" is actually the RDN attribute,
> the Relative Distinguished Name of the object. For user objects, this is
> the value of the "cn" attribute. If you change the value assigned to cn,
> by renaming the object, the value assigned to Name will also change. The
> documentation says that Name can only be updated by the Schema
> Administrator. I interpret this to mean that the Schema Administrator
> dictates which attribute is the RDN. For OU objects it is the attribute
> ou, for user objects it is the attribute cn. In any case, you really only
> have 3 attributes to worry about. The values of cn and Name will always be
> the same for user objects.
>
> The value of cn must be unique in the parent container/OU and is
> mandatory. I think the value of cn is limited to about 120 characters, and
> a few possible characters must be escaped (like the comma, pound sign, and
> backslash) with the backslash escape character. There are no restrictions
> on displayName or displayNamePrintable, except a limit of a few thousand
> characters.
>
> I'm surprised sAMAccountName (pre-Windows 2000 logon name) is not on your
> list, unless that is what you meant by Name. It can avoid confusion if the
> values of cn and sAMAccountName are the same. sAMAccountName must be
> unique in the domain, a few characters are not allowed, and the value is
> limited to 20 characters (for user objects).
>
> --
> Richard Mueller
> Microsoft MVP Scripting and ADSI
> Hilltop Lab - http://www.rlmueller.net
> --
>
>


Top

Re: AD Attributes and their usage by Paul

Paul
Thu Oct 18 10:08:36 PDT 2007

Since it sounds like displayNamePrintable is only visible within ADSIEdit, I
will leave alone.

I was able to learn that cn and name are in sync when modified within ADUC
(Plus you have verified this finding) so I will mirror this as well as
update the displayName.

Thanks for the feedback.

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"Steve B" <SteveB@discussions.microsoft.com> wrote in message
news:7C15353B-12EE-4CF4-B09E-1310446E9A6E@microsoft.com...
>
> Name = This is the full name of the user. By default this will be the
> first
> name plus Last Name (however, can be different if you want it to be) When
> you
> create a user - this is set by the Full Name field. In addition, this is
> the name you see displayed in Active Directory Users and Computers.
>
> displayName - By default this is set to the same as the full name. This
> is
> the name displayed in the Exchange Global Address List. Can be different
> from the full name.
>
> cn - this is the ldap common name for the user (required as part of LDAP
> standard). Every objects in the directory must have a CN. This will be
> the
> same as the full name. Makes up part of the Distinguished Name. Owned by
> the
> System. Changes when the full name is changed.
>
> displayNamePrintable - not used.
>
>
> I would sync up the first three but not displayNamePrintable since I have
> no
> knowledge of its use (unless someone can help here). It may be used in
> later
> versions of AD - so to avoid issues later on I wouldn't use it.
>
> Regarding the other three - I would personally make them the same.
> Otherwise it could be hard to identity the user.
>
> HTH
>
>
> "Paul Bergson [MVP-DS]" wrote:
>
>> I am trying to determine how each of the following four Active Directory
>> user attributes (Listed below) are used and any possible negative
>> consequnces on such a change. I have an Oracle to HR Sync program I have
>> written and we are now passing the display name to AD and obviously it
>> isn't
>> that simple. I have had some success going through MSDN but I'm hoping
>> someone might have a complete definition of each of their uses.
>>
>> Right now I don't see an issue of syncing the four attributes up so they
>> all
>> are equivalent. Anybody who is familiar with these attributes please
>> provide any and all feedback.
>>
>> displayName
>> displayNamePrintable
>> cn
>> name
>>
>> Thanks for your time
>>
>> --
>> Paul Bergson
>> MVP - Directory Services
>> MCT, MCSE, MCSA, Security+, BS CSci
>> 2003, 2000 (Early Achiever), NT
>>
>> http://www.pbbergs.com
>>
>> Please no e-mails, any questions should be posted in the NewsGroup
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>>
>>


Top

Re: AD Attributes and their usage by Richard

Richard
Thu Oct 18 10:42:01 PDT 2007

Many organizations make the values of sAMAccountName and cn the same to
avoid confusion. It is certainly not necessary, but when a user (or Admin)
knows the "Logon Name", a common complaint is that they cannot find the user
object in AD and cannot bind to the object.

You are correct that when you modify sAMAccountName, users must be notified
that their "Login Name" has changed. When you modify cn, you rename the
object, but this seems to have less impact.

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--

"Paul Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote in message
news:uZrCykaEIHA.4196@TK2MSFTNGP04.phx.gbl...
> What I have learned since I have posted the initial question is that when
> the Full Name (Name) is modified within ADUC, the attribute cn (Common
> Name) is updated to be equivalent to Full Name. SteveB has reinforced
> this finding with info that replicates my learned experience.
>
> I'm confused on the sAMAccountName reference, I don't want to touch this
> at all. Since this is the pre-windows 2000 logon attribute value, it is
> the value users use to authenticate into our domain. Rarely does anyone
> use their upn to authenticate, as a matter of fact it wouldn't surprise me
> to learn if I was the only one who did use their upn.
>
> --
> Paul Bergson
> MVP - Directory Services
> MCT, MCSE, MCSA, Security+, BS CSci
> 2003, 2000 (Early Achiever), NT
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
> "Richard Mueller [MVP]" <rlmueller-nospam@ameritech.nospam.net> wrote in
> message news:O%23P78CaEIHA.5208@TK2MSFTNGP04.phx.gbl...
>>
>> "Paul Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote in message
>> news:%23QAAoOZEIHA.1204@TK2MSFTNGP03.phx.gbl...
>>>I am trying to determine how each of the following four Active Directory
>>>user attributes (Listed below) are used and any possible negative
>>>consequnces on such a change. I have an Oracle to HR Sync program I have
>>>written and we are now passing the display name to AD and obviously it
>>>isn't that simple. I have had some success going through MSDN but I'm
>>>hoping someone might have a complete definition of each of their uses.
>>>
>>> Right now I don't see an issue of syncing the four attributes up so they
>>> all are equivalent. Anybody who is familiar with these attributes
>>> please provide any and all feedback.
>>>
>>> displayName
>>> displayNamePrintable
>>> cn
>>> name
>>>
>>> Thanks for your time
>>
>> The attribute with LDAP-Display-Name "Name" is actually the RDN
>> attribute, the Relative Distinguished Name of the object. For user
>> objects, this is the value of the "cn" attribute. If you change the value
>> assigned to cn, by renaming the object, the value assigned to Name will
>> also change. The documentation says that Name can only be updated by the
>> Schema Administrator. I interpret this to mean that the Schema
>> Administrator dictates which attribute is the RDN. For OU objects it is
>> the attribute ou, for user objects it is the attribute cn. In any case,
>> you really only have 3 attributes to worry about. The values of cn and
>> Name will always be the same for user objects.
>>
>> The value of cn must be unique in the parent container/OU and is
>> mandatory. I think the value of cn is limited to about 120 characters,
>> and a few possible characters must be escaped (like the comma, pound
>> sign, and backslash) with the backslash escape character. There are no
>> restrictions on displayName or displayNamePrintable, except a limit of a
>> few thousand characters.
>>
>> I'm surprised sAMAccountName (pre-Windows 2000 logon name) is not on your
>> list, unless that is what you meant by Name. It can avoid confusion if
>> the values of cn and sAMAccountName are the same. sAMAccountName must be
>> unique in the domain, a few characters are not allowed, and the value is
>> limited to 20 characters (for user objects).
>>
>> --
>> Richard Mueller
>> Microsoft MVP Scripting and ADSI
>> Hilltop Lab - http://www.rlmueller.net
>> --
>>
>>
>
>


Top

Re: AD Attributes and their usage by Paul

Paul
Thu Oct 18 11:13:43 PDT 2007

I thought the user object was named after its upn. Could you elaborate
on...

"When you modify cn, you rename the object"

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"Richard Mueller [MVP]" <rlmueller-nospam@ameritech.nospam.net> wrote in
message news:e9cCD5aEIHA.5976@TK2MSFTNGP02.phx.gbl...
> Many organizations make the values of sAMAccountName and cn the same to
> avoid confusion. It is certainly not necessary, but when a user (or Admin)
> knows the "Logon Name", a common complaint is that they cannot find the
> user object in AD and cannot bind to the object.
>
> You are correct that when you modify sAMAccountName, users must be
> notified that their "Login Name" has changed. When you modify cn, you
> rename the object, but this seems to have less impact.
>
> --
> Richard Mueller
> Microsoft MVP Scripting and ADSI
> Hilltop Lab - http://www.rlmueller.net
> --
>
> "Paul Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote in message
> news:uZrCykaEIHA.4196@TK2MSFTNGP04.phx.gbl...
>> What I have learned since I have posted the initial question is that when
>> the Full Name (Name) is modified within ADUC, the attribute cn (Common
>> Name) is updated to be equivalent to Full Name. SteveB has reinforced
>> this finding with info that replicates my learned experience.
>>
>> I'm confused on the sAMAccountName reference, I don't want to touch this
>> at all. Since this is the pre-windows 2000 logon attribute value, it is
>> the value users use to authenticate into our domain. Rarely does anyone
>> use their upn to authenticate, as a matter of fact it wouldn't surprise
>> me to learn if I was the only one who did use their upn.
>>
>> --
>> Paul Bergson
>> MVP - Directory Services
>> MCT, MCSE, MCSA, Security+, BS CSci
>> 2003, 2000 (Early Achiever), NT
>>
>> http://www.pbbergs.com
>>
>> Please no e-mails, any questions should be posted in the NewsGroup
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>> "Richard Mueller [MVP]" <rlmueller-nospam@ameritech.nospam.net> wrote in
>> message news:O%23P78CaEIHA.5208@TK2MSFTNGP04.phx.gbl...
>>>
>>> "Paul Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote in message
>>> news:%23QAAoOZEIHA.1204@TK2MSFTNGP03.phx.gbl...
>>>>I am trying to determine how each of the following four Active Directory
>>>>user attributes (Listed below) are used and any possible negative
>>>>consequnces on such a change. I have an Oracle to HR Sync program I
>>>>have written and we are now passing the display name to AD and obviously
>>>>it isn't that simple. I have had some success going through MSDN but
>>>>I'm hoping someone might have a complete definition of each of their
>>>>uses.
>>>>
>>>> Right now I don't see an issue of syncing the four attributes up so
>>>> they all are equivalent. Anybody who is familiar with these attributes
>>>> please provide any and all feedback.
>>>>
>>>> displayName
>>>> displayNamePrintable
>>>> cn
>>>> name
>>>>
>>>> Thanks for your time
>>>
>>> The attribute with LDAP-Display-Name "Name" is actually the RDN
>>> attribute, the Relative Distinguished Name of the object. For user
>>> objects, this is the value of the "cn" attribute. If you change the
>>> value assigned to cn, by renaming the object, the value assigned to Name
>>> will also change. The documentation says that Name can only be updated
>>> by the Schema Administrator. I interpret this to mean that the Schema
>>> Administrator dictates which attribute is the RDN. For OU objects it is
>>> the attribute ou, for user objects it is the attribute cn. In any case,
>>> you really only have 3 attributes to worry about. The values of cn and
>>> Name will always be the same for user objects.
>>>
>>> The value of cn must be unique in the parent container/OU and is
>>> mandatory. I think the value of cn is limited to about 120 characters,
>>> and a few possible characters must be escaped (like the comma, pound
>>> sign, and backslash) with the backslash escape character. There are no
>>> restrictions on displayName or displayNamePrintable, except a limit of a
>>> few thousand characters.
>>>
>>> I'm surprised sAMAccountName (pre-Windows 2000 logon name) is not on
>>> your list, unless that is what you meant by Name. It can avoid confusion
>>> if the values of cn and sAMAccountName are the same. sAMAccountName must
>>> be unique in the domain, a few characters are not allowed, and the value
>>> is limited to 20 characters (for user objects).
>>>
>>> --
>>> Richard Mueller
>>> Microsoft MVP Scripting and ADSI
>>> Hilltop Lab - http://www.rlmueller.net
>>> --
>>>
>>>
>>
>>
>
>


Top

Re: AD Attributes and their usage by Paul

Paul
Thu Oct 18 11:54:07 PDT 2007

Forget it, I don't know what I'm thinking. You are spot on.

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"Paul Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote in message
news:uurTfKbEIHA.4476@TK2MSFTNGP06.phx.gbl...
>I thought the user object was named after its upn. Could you elaborate
>on...
>
> "When you modify cn, you rename the object"
>
> --
> Paul Bergson
> MVP - Directory Services
> MCT, MCSE, MCSA, Security+, BS CSci
> 2003, 2000 (Early Achiever), NT
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
> "Richard Mueller [MVP]" <rlmueller-nospam@ameritech.nospam.net> wrote in
> message news:e9cCD5aEIHA.5976@TK2MSFTNGP02.phx.gbl...
>> Many organizations make the values of sAMAccountName and cn the same to
>> avoid confusion. It is certainly not necessary, but when a user (or
>> Admin) knows the "Logon Name", a common complaint is that they cannot
>> find the user object in AD and cannot bind to the object.
>>
>> You are correct that when you modify sAMAccountName, users must be
>> notified that their "Login Name" has changed. When you modify cn, you
>> rename the object, but this seems to have less impact.
>>
>> --
>> Richard Mueller
>> Microsoft MVP Scripting and ADSI
>> Hilltop Lab - http://www.rlmueller.net
>> --
>>
>> "Paul Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote in message
>> news:uZrCykaEIHA.4196@TK2MSFTNGP04.phx.gbl...
>>> What I have learned since I have posted the initial question is that
>>> when the Full Name (Name) is modified within ADUC, the attribute cn
>>> (Common Name) is updated to be equivalent to Full Name. SteveB has
>>> reinforced this finding with info that replicates my learned experience.
>>>
>>> I'm confused on the sAMAccountName reference, I don't want to touch this
>>> at all. Since this is the pre-windows 2000 logon attribute value, it is
>>> the value users use to authenticate into our domain. Rarely does anyone
>>> use their upn to authenticate, as a matter of fact it wouldn't surprise
>>> me to learn if I was the only one who did use their upn.
>>>
>>> --
>>> Paul Bergson
>>> MVP - Directory Services
>>> MCT, MCSE, MCSA, Security+, BS CSci
>>> 2003, 2000 (Early Achiever), NT
>>>
>>> http://www.pbbergs.com
>>>
>>> Please no e-mails, any questions should be posted in the NewsGroup
>>> This posting is provided "AS IS" with no warranties, and confers no
>>> rights.
>>>
>>> "Richard Mueller [MVP]" <rlmueller-nospam@ameritech.nospam.net> wrote in
>>> message news:O%23P78CaEIHA.5208@TK2MSFTNGP04.phx.gbl...
>>>>
>>>> "Paul Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote in message
>>>> news:%23QAAoOZEIHA.1204@TK2MSFTNGP03.phx.gbl...
>>>>>I am trying to determine how each of the following four Active
>>>>>Directory user attributes (Listed below) are used and any possible
>>>>>negative consequnces on such a change. I have an Oracle to HR Sync
>>>>>program I have written and we are now passing the display name to AD
>>>>>and obviously it isn't that simple. I have had some success going
>>>>>through MSDN but I'm hoping someone might have a complete definition of
>>>>>each of their uses.
>>>>>
>>>>> Right now I don't see an issue of syncing the four attributes up so
>>>>> they all are equivalent. Anybody who is familiar with these
>>>>> attributes please provide any and all feedback.
>>>>>
>>>>> displayName
>>>>> displayNamePrintable
>>>>> cn
>>>>> name
>>>>>
>>>>> Thanks for your time
>>>>
>>>> The attribute with LDAP-Display-Name "Name" is actually the RDN
>>>> attribute, the Relative Distinguished Name of the object. For user
>>>> objects, this is the value of the "cn" attribute. If you change the
>>>> value assigned to cn, by renaming the object, the value assigned to
>>>> Name will also change. The documentation says that Name can only be
>>>> updated by the Schema Administrator. I interpret this to mean that the
>>>> Schema Administrator dictates which attribute is the RDN. For OU
>>>> objects it is the attribute ou, for user objects it is the attribute
>>>> cn. In any case, you really only have 3 attributes to worry about. The
>>>> values of cn and Name will always be the same for user objects.
>>>>
>>>> The value of cn must be unique in the parent container/OU and is
>>>> mandatory. I think the value of cn is limited to about 120 characters,
>>>> and a few possible characters must be escaped (like the comma, pound
>>>> sign, and backslash) with the backslash escape character. There are no
>>>> restrictions on displayName or displayNamePrintable, except a limit of
>>>> a few thousand characters.
>>>>
>>>> I'm surprised sAMAccountName (pre-Windows 2000 logon name) is not on
>>>> your list, unless that is what you meant by Name. It can avoid
>>>> confusion if the values of cn and sAMAccountName are the same.
>>>> sAMAccountName must be unique in the domain, a few characters are not
>>>> allowed, and the value is limited to 20 characters (for user objects).
>>>>
>>>> --
>>>> Richard Mueller
>>>> Microsoft MVP Scripting and ADSI
>>>> Hilltop Lab - http://www.rlmueller.net
>>>> --
>>>>
>>>>
>>>
>>>
>>
>>
>
>


Top

Re: AD Attributes and their usage by Al

Al
Thu Oct 18 19:00:07 PDT 2007


"Richard Mueller [MVP]" <rlmueller-nospam@ameritech.nospam.net> wrote in
message news:e9cCD5aEIHA.5976@TK2MSFTNGP02.phx.gbl...
> Many organizations make the values of sAMAccountName and cn the same to
> avoid confusion. It is certainly not necessary, but when a user (or Admin)
> knows the "Logon Name", a common complaint is that they cannot find the
> user object in AD and cannot bind to the object.

That would certainly simplify things. We generally have the CN and display
name the same, but this is not universally true, as sometimes the display
name is changed at a user's request (because of duplicates in the
organization) and the CN is not changed to coincide. One minor annoyance is
that when a user relocates to an OU where someone has the same CN, the CN of
one of them *must* be changed. This then means that their display name would
change (if the ou admin was following procedure) something that users don't
like.

> You are correct that when you modify sAMAccountName, users must be
> notified that their "Login Name" has changed. When you modify cn, you
> rename the object, but this seems to have less impact.

I think the impact would be zero if cn and display name were not to be kept
the same.

/Al

>
> --
> Richard Mueller
> Microsoft MVP Scripting and ADSI
> Hilltop Lab - http://www.rlmueller.net
> --
>
> "Paul Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote in message
> news:uZrCykaEIHA.4196@TK2MSFTNGP04.phx.gbl...
>> What I have learned since I have posted the initial question is that when
>> the Full Name (Name) is modified within ADUC, the attribute cn (Common
>> Name) is updated to be equivalent to Full Name. SteveB has reinforced
>> this finding with info that replicates my learned experience.
>>
>> I'm confused on the sAMAccountName reference, I don't want to touch this
>> at all. Since this is the pre-windows 2000 logon attribute value, it is
>> the value users use to authenticate into our domain. Rarely does anyone
>> use their upn to authenticate, as a matter of fact it wouldn't surprise
>> me to learn if I was the only one who did use their upn.
>>
>> --
>> Paul Bergson
>> MVP - Directory Services
>> MCT, MCSE, MCSA, Security+, BS CSci
>> 2003, 2000 (Early Achiever), NT
>>
>> http://www.pbbergs.com
>>
>> Please no e-mails, any questions should be posted in the NewsGroup
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>> "Richard Mueller [MVP]" <rlmueller-nospam@ameritech.nospam.net> wrote in
>> message news:O%23P78CaEIHA.5208@TK2MSFTNGP04.phx.gbl...
>>>
>>> "Paul Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote in message
>>> news:%23QAAoOZEIHA.1204@TK2MSFTNGP03.phx.gbl...
>>>>I am trying to determine how each of the following four Active Directory
>>>>user attributes (Listed below) are used and any possible negative
>>>>consequnces on such a change. I have an Oracle to HR Sync program I
>>>>have written and we are now passing the display name to AD and obviously
>>>>it isn't that simple. I have had some success going through MSDN but
>>>>I'm hoping someone might have a complete definition of each of their
>>>>uses.
>>>>
>>>> Right now I don't see an issue of syncing the four attributes up so
>>>> they all are equivalent. Anybody who is familiar with these attributes
>>>> please provide any and all feedback.
>>>>
>>>> displayName
>>>> displayNamePrintable
>>>> cn
>>>> name
>>>>
>>>> Thanks for your time
>>>
>>> The attribute with LDAP-Display-Name "Name" is actually the RDN
>>> attribute, the Relative Distinguished Name of the object. For user
>>> objects, this is the value of the "cn" attribute. If you change the
>>> value assigned to cn, by renaming the object, the value assigned to Name
>>> will also change. The documentation says that Name can only be updated
>>> by the Schema Administrator. I interpret this to mean that the Schema
>>> Administrator dictates which attribute is the RDN. For OU objects it is
>>> the attribute ou, for user objects it is the attribute cn. In any case,
>>> you really only have 3 attributes to worry about. The values of cn and
>>> Name will always be the same for user objects.
>>>
>>> The value of cn must be unique in the parent container/OU and is
>>> mandatory. I think the value of cn is limited to about 120 characters,
>>> and a few possible characters must be escaped (like the comma, pound
>>> sign, and backslash) with the backslash escape character. There are no
>>> restrictions on displayName or displayNamePrintable, except a limit of a
>>> few thousand characters.
>>>
>>> I'm surprised sAMAccountName (pre-Windows 2000 logon name) is not on
>>> your list, unless that is what you meant by Name. It can avoid confusion
>>> if the values of cn and sAMAccountName are the same. sAMAccountName must
>>> be unique in the domain, a few characters are not allowed, and the value
>>> is limited to 20 characters (for user objects).
>>>
>>> --
>>> Richard Mueller
>>> Microsoft MVP Scripting and ADSI
>>> Hilltop Lab - http://www.rlmueller.net
>>> --
>>>
>>>
>>
>>
>
>


Top