Solved

Change Default LDAP CN on Active Directory users

Posted on 2009-05-07
5
2,014 Views
Last Modified: 2012-06-27
We moved from a Novell NetWare server to a MS Windows Server 2003 AD server recently... users were migrated using a utility by Quest software and everything worked out great - until now.

When the migration utility copied over the users, the CN in an LDAP query was the same as our usernames (FirstInitialLastname) - this is what we wanted because one of the applications we use query via LDAP but does not let us specify which field to query (So we can't force the program to pull sAMAccountName - it only pulls the CN). Again, this has been working fine since the CN is the same as the username... except - all new users... users that weren't on the Novell server, the CN is FirstName LastName.

I looked around on Google and found Adsiedit and it mentioned:
# In the right-hand pane, open the properties for "CN=user-Display".
# Scroll to the createDialog optional property.
# Set the attribute to %<sn>.%<givenName>. Make sure that you click Set.
Note The only tokens that can be formatted in the dislayName are %<sn>, %<givenName>, and %<initials>.

It doesn't let me use %<sAMAccountName > or %<userPrincipalName>.

So how can I do this? How can I make the default CN be the same as the username?

I've seen ADAM mentioned but I haven't looked into it too much. If I made an ADAM server and tied it into our AD database could I "re-arrange" the fields a bit?

Thank you for your time.
0
Comment
Question by:sbrown_cesd
  • 2
  • 2
5 Comments
 
LVL 15

Expert Comment

by:zelron22
ID: 24329105
When you look at the General tab of a migrated user's properties in AD Users and Computers, what does it show for First Name and Last Name?
0
 
LVL 30

Accepted Solution

by:
LauraEHunterMVP earned 250 total points
ID: 24329107
To my knowledge, you cannot enforce this using only native AD tools like ADSI Edit or AD Users & Computers. You'll need to use either a home-grown or paid provisioning script or tool (roll your own user creation VBScript, Powershell or web page) that will populate CN automatically using the same value as sAMAccountName. Unfortunately, native string validation functionality within AD is somewhat limited, as you're discovering.
0
 

Author Comment

by:sbrown_cesd
ID: 24329230
zelron22:
Username: sbrown
First Name: Scott
Last Name: Brown
Display Name: Scott Brown
CN= sbrown

LauraEHunterMVP:
I was afraid of that... I saw some scripts online - I might have to play with those on a test domain controller (don't want to accidentally wipe out my server :-) )
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 24329271
Thing with AD is that it's really good at publishing information and replicating it everywhere. It's really not good at (nor was it intended to be good at) enforcing "business rules" such as the proper way to format a telephone number or the name of a city, etc.
0
 
LVL 15

Expert Comment

by:zelron22
ID: 24329608
Holy moly Ms. Hunter, you've got more credentials than I've got [insert lame joke here].
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now