Solved

AD User Changed, but Old Name Appearing in CN String

Posted on 2011-02-20
9
849 Views
Last Modified: 2012-05-11
There are a couple of users in my domain that have had their user names changed in the last couple of years.  If I click their user properties and browse through all the tabs, the alias and other pertinent username fields show to be correct.  For example, let's say one user's name was Jeff Green, but the original AD username was set up as Jeff Greene.  The user is renamed using the "rename" function in AD, and then I would go into the properties and make sure everything changed as expected.

The problem happens when I run a script that actually pulls the full AD context for that user.  I have a particular script in Outlook that is supposed to parse that context to ascertain a user's e-mail address, and with my example, even though the user's information in AD is completely correct (i.e., last name is "Green" and all of the username/alias fields show "jgreen"), the context string shows something like this:

/O=MYORG/OU=FIRST ADMINISTRATIVE GROUP/CN=RECIPIENTS/CN=JGREENE

How can I fix this so that the context name here is correct?  I can't find where this shows up and can be modified; and I'm not even sure if it really can.

Any help would be appreciated.  Thanks!
0
Comment
Question by:NateR78
  • 3
  • 2
  • 2
  • +2
9 Comments
 
LVL 13

Expert Comment

by:Mohamed ElManakhly
Comment Utility
well iam not quite sure what the reason is , but i can tell you how to view this properties and edit them.using ADSIedit.msc , you have to install the support tools from the windows server CD if you are using windows 2003 in order to open the console. however be extreemly cautious when using this tool as by doing so are actually editing in the Active Directory Database.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
Comment Utility
0
 
LVL 58

Expert Comment

by:tigermatt
Comment Utility

That is not an Active Directory issue. It is an Exchange issue, and the value you quoted above for JGREENE is called his legacyExchangeDN.

The legacyExchangeDN was stamped on the mailbox when it was created and you really do not want to start hacking around with ADSIEdit to change it. It is used by Outlook when users send JGREENE an email internally. Editing it would cause undelivered email bounces as the users' Outlook Autocomplete caches are not updated, as well as other issues.

Using that string to ascertain a user's actual email address isn't always a foolproof method because email addresses can and do change. My advice would be to parse the user's proxyAddresses attribute in Active Directory instead, which will contain their actual email addresses as defined in AD and Exchange.

-Matt
0
 
LVL 3

Accepted Solution

by:
Tommy_Cooper earned 500 total points
Comment Utility
It is because of this exact issue that many engineers will always argue that using the "rename" function of ADU&C is not good practice.

If a user requires a rename it is often better to export the mbx and and all other details and then delete the original account and re-create a new one using the new name.

A little bit more hassle at the time, but in the long run, you know have a consistent convention of names and other attrbutes that keep your scripts simple :)
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 
LVL 58

Expert Comment

by:tigermatt
Comment Utility
>> If a user requires a rename it is often better to export the mbx and and all other details and then delete the original account and re-create a new one using the new name

Definitely - but as long as you copy over the user's old legacyExchangeDN into an additional "X500" address on their new account.

Otherwise replies to messages they sent internally won't turn up, nor will the name picked from other users' Outlook autosuggest caches deliver correctly any longer.

I have also heard of people who make a new account, disable the old one but configure it to forward to the new one. Sounds too messy for my liking, but it's an alternative.

-Matt
0
 

Author Comment

by:NateR78
Comment Utility
Thanks for the comments.  I did find the legacyExchangeDN attribute and was wondering if I should leave it as-is.  Based on the information here, I'm glad I made that decision.  I'll see how I can work around it.  @tigermatt: I will try your recommendation and use the proxyAddresses attribute, but it's going to take a little bit of work.  The problem is occurring in a VBA script in Outlook when I pull the "SenderEmailAddress" property of an Outlook.MailItem.  If there is not another suitable property available that provides this information, I'll have to build an LDAP query from the "SenderEmailAddress" property to ascertain "proxyAddresses" for each user.

I'll have to see how that goes because I'm not very well-versed in VBA LDAP queries.  Anybody here have any thoughts on how to do that or do I need to re-post in VB?
0
 
LVL 58

Expert Comment

by:tigermatt
Comment Utility

I'm afraid I'm not well versed in Outlook VBA (not sure about the other folks posting here though). There are certainly some very knowledgeable people over in the VB and the Outlook zone, though.

-Matt
0
 
LVL 3

Assisted Solution

by:Tommy_Cooper
Tommy_Cooper earned 500 total points
Comment Utility
What exactly is your script trying to do? From what has been said so far, I'm thinking along the lines that you only want a users "default" or reply address?? If so, look for the AD attribute that is named "mail". This will give you one single address that is the users reply address.

Does that help? If not, tell us exactly what your script is trying to do.

I will also probably point you in the direction of the VB groups :)
0
 

Author Comment

by:NateR78
Comment Utility
I have submitted another ticket with VB and Outlook folks, but in case you want to see the code, here it is.  I want to ascertain the primary smtp address for the user, and the "Outlook.MailItem" object has a property called "SenderEmailAddress" but it's pulling that legacyExchangeDN... I am going to have to do a custom LDAP query it seems.
Sub Helpdesk()
Dim helpdeskaddress As String
Dim objMail As Outlook.MailItem
Dim strbody As String
Dim oldmsg As String
Dim emailUser As String
Dim objItem As Outlook.MailItem

' Set this variable as your helpdesk e-mail address
helpdeskaddress = "helpdesk@company.com"

Set objItem = GetCurrentItem()
Set objMail = objItem.Forward

'get the username portion of the sender email address by parsing LDAP string
If (InStr(1, objItem.SenderEmailAddress, "CN=") > 0) Then
  emailUser = (Right(objItem.SenderEmailAddress, (Len(objItem.SenderEmailAddress) - 57))) & "@company.com"
Else
  emailUser = objItem.SenderEmailAddress
End If

'adds the senders e-mail address as the created by object for the ticket and appends the message body
strbody = "#created by " & emailUser & vbNewLine & vbNewLine & objItem.Body

objMail.To = helpdeskaddress
objMail.Subject = objItem.Subject
objMail.Body = strbody

' remove the comment from below to display the message before sending
'objMail.Display

'Automatically Send the ticket
objMail.Send

Set objItem = Nothing
Set objMail = Nothing
End Sub

Function GetCurrentItem() As Object
Dim objApp As Outlook.Application
Set objApp = Application
On Error Resume Next
Select Case TypeName(objApp.ActiveWindow)
Case "Explorer"
Set GetCurrentItem = _
objApp.ActiveExplorer.Selection.Item(1)
Case "Inspector"
Set GetCurrentItem = _
objApp.ActiveInspector.CurrentItem
Case Else
End Select
End Function

Open in new window

0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

This is my first article in EE and english is not my mother tongue so any comments you have or any corrections you would like to make, please feel free to speak up :) For those of you working with AD, you already are very familiar with the classi…
I know all systems administrator at some time or another has had to create a script to copy file from a server share to a desktop. Well now there is an easy way to do this in Group Policy. Using Group policy preferences is not hard. The first thing …
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now