Microsoft Active Directory - How to update/add DN

I am using Microsoft Windows 2003 Server with Active Directory. When I create a new user say "Clara Leffler" with ID as " cleffler". The active directory assigns DN as "CN=Clara Leffler, CN=Users, DN=DOMAIN, DN=COM".
I wish to use the ID instead for Common Name in the DN as "CN=cleffler, CN=Users, DN=DOMAIN, DN=COM". Could I update some settings in Active Directory to udpate this? Or even better is it possbile to have two DN for same user cleffler?
I also  tried to update the DN value using ADSIEdit, but got error saying object is owned by the System.

LVL 10
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

PberSolutions ArchitectCommented:
You can change this default behaviour.  You might be OTL regarding making it the same as the logon name.  I don't think the property allows for first initial.

It involves loading the ADSIedit MMC and then connecting to the Configuration naming context.
Expand the Configuration node
Expand DisplaySpecifiers
Select CN=409 <- this is for english.  If you have a different regional setting, you may have to select another location number.
Right click the user-Display classs and select properties
Select the createDialog Property.

the createDialog property controls how the DN is created.
%<givenName> %<sn> is probably what you have
%<sn>,%<givenName> would be last name, first

This will not affect existing accounts, only new ones.

See these:

Chris DentPowerShell DeveloperCommented:

The DN is a unique identifier, you can't duplicate them. And because of the unique constraint and importance to the database you can't manually change the DN in ADSIEdit.

If you need to alter the DN through the GUI you must right click and run "Rename". This allows you to change the name used in the display in AD Users and Computers as well as the CN portion of the Distinguished Name.

Alternatively moving the user to a different Organizational Unit will change the path portion of the Distinguished Name, although not really the part you're interested in above.

Finally, renaming accounts in code would require the use of the MoveHere method in ADSI. Exactly the same as is used for moving between OUs in the GUI.

For new accounts AD picks the Display Name attribute filled in while entering the details in the GUI to generate the Container Name CN=<User Name>.  I'm not sure that behaviour can be changed as it's an assumption the code makes to create the account.

You can, of course, create accounts using your own code which would allow you to define the format of the CN without trouble.



Experts Exchange Solution brought to you by ConnectWise

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
here is a link that has the dsmod user syntax. with it, you should be able to do what you are trying to do.

Good Luck,
but no, you cannot change the DN - it is what it is.

Sorry, i misread the question,

Good Luck,

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.