• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 698
  • Last Modified:

Microsoft Active Directory - How to update/add DN

I am using Microsoft Windows 2003 Server with Active Directory. When I create a new user say "Clara Leffler" with ID as " cleffler". The active directory assigns DN as "CN=Clara Leffler, CN=Users, DN=DOMAIN, DN=COM".
I wish to use the ID instead for Common Name in the DN as "CN=cleffler, CN=Users, DN=DOMAIN, DN=COM". Could I update some settings in Active Directory to udpate this? Or even better is it possbile to have two DN for same user cleffler?
I also  tried to update the DN value using ADSIEdit, but got error saying object is owned by the System.

  • 2
  • 2
2 Solutions
PberSolutions ArchitectCommented:
You can change this default behaviour.  You might be OTL regarding making it the same as the logon name.  I don't think the property allows for first initial.

It involves loading the ADSIedit MMC and then connecting to the Configuration naming context.
Expand the Configuration node
Expand DisplaySpecifiers
Select CN=409 <- this is for english.  If you have a different regional setting, you may have to select another location number.
Right click the user-Display classs and select properties
Select the createDialog Property.

the createDialog property controls how the DN is created.
%<givenName> %<sn> is probably what you have
%<sn>,%<givenName> would be last name, first

This will not affect existing accounts, only new ones.

See these:

Chris DentPowerShell DeveloperCommented:

The DN is a unique identifier, you can't duplicate them. And because of the unique constraint and importance to the database you can't manually change the DN in ADSIEdit.

If you need to alter the DN through the GUI you must right click and run "Rename". This allows you to change the name used in the display in AD Users and Computers as well as the CN portion of the Distinguished Name.

Alternatively moving the user to a different Organizational Unit will change the path portion of the Distinguished Name, although not really the part you're interested in above.

Finally, renaming accounts in code would require the use of the MoveHere method in ADSI. Exactly the same as is used for moving between OUs in the GUI.

For new accounts AD picks the Display Name attribute filled in while entering the details in the GUI to generate the Container Name CN=<User Name>.  I'm not sure that behaviour can be changed as it's an assumption the code makes to create the account.

You can, of course, create accounts using your own code which would allow you to define the format of the CN without trouble.


here is a link that has the dsmod user syntax. with it, you should be able to do what you are trying to do.


Good Luck,
but no, you cannot change the DN - it is what it is.

Sorry, i misread the question,

Good Luck,


Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now