Microsoft Active Directory - How to update/add DN

Posted on 2007-07-25
Last Modified: 2009-12-16
I am using Microsoft Windows 2003 Server with Active Directory. When I create a new user say "Clara Leffler" with ID as " cleffler". The active directory assigns DN as "CN=Clara Leffler, CN=Users, DN=DOMAIN, DN=COM".
I wish to use the ID instead for Common Name in the DN as "CN=cleffler, CN=Users, DN=DOMAIN, DN=COM". Could I update some settings in Active Directory to udpate this? Or even better is it possbile to have two DN for same user cleffler?
I also  tried to update the DN value using ADSIEdit, but got error saying object is owned by the System.

Question by:rajesh_bala
    LVL 26

    Assisted Solution

    You can change this default behaviour.  You might be OTL regarding making it the same as the logon name.  I don't think the property allows for first initial.

    It involves loading the ADSIedit MMC and then connecting to the Configuration naming context.
    Expand the Configuration node
    Expand DisplaySpecifiers
    Select CN=409 <- this is for english.  If you have a different regional setting, you may have to select another location number.
    Right click the user-Display classs and select properties
    Select the createDialog Property.

    the createDialog property controls how the DN is created.
    %<givenName> %<sn> is probably what you have
    %<sn>,%<givenName> would be last name, first

    This will not affect existing accounts, only new ones.

    See these:

    LVL 26

    Expert Comment

    LVL 70

    Accepted Solution


    The DN is a unique identifier, you can't duplicate them. And because of the unique constraint and importance to the database you can't manually change the DN in ADSIEdit.

    If you need to alter the DN through the GUI you must right click and run "Rename". This allows you to change the name used in the display in AD Users and Computers as well as the CN portion of the Distinguished Name.

    Alternatively moving the user to a different Organizational Unit will change the path portion of the Distinguished Name, although not really the part you're interested in above.

    Finally, renaming accounts in code would require the use of the MoveHere method in ADSI. Exactly the same as is used for moving between OUs in the GUI.

    For new accounts AD picks the Display Name attribute filled in while entering the details in the GUI to generate the Container Name CN=<User Name>.  I'm not sure that behaviour can be changed as it's an assumption the code makes to create the account.

    You can, of course, create accounts using your own code which would allow you to define the format of the CN without trouble.


    LVL 9

    Expert Comment

    here is a link that has the dsmod user syntax. with it, you should be able to do what you are trying to do.

    Good Luck,
    LVL 9

    Expert Comment

    but no, you cannot change the DN - it is what it is.

    Sorry, i misread the question,

    Good Luck,


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    At some point in your work you may run into a need to globally assign a specific file type to open using a specific program. I recently was tasked with completing this objective. In my case it was setting the TSV file association to open with Excel.…
    Mapping Drives using Group policy preferences Are you still using old scripts to map your network drives if so this article will show you how to get away for old scripts and move toward Group Policy Preference for mapping them. First things f…
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    12 Experts available now in Live!

    Get 1:1 Help Now