Solved

AD User Changed, but Old Name Appearing in CN String

Posted on 2011-02-20
9
856 Views
Last Modified: 2012-05-11
There are a couple of users in my domain that have had their user names changed in the last couple of years.  If I click their user properties and browse through all the tabs, the alias and other pertinent username fields show to be correct.  For example, let's say one user's name was Jeff Green, but the original AD username was set up as Jeff Greene.  The user is renamed using the "rename" function in AD, and then I would go into the properties and make sure everything changed as expected.

The problem happens when I run a script that actually pulls the full AD context for that user.  I have a particular script in Outlook that is supposed to parse that context to ascertain a user's e-mail address, and with my example, even though the user's information in AD is completely correct (i.e., last name is "Green" and all of the username/alias fields show "jgreen"), the context string shows something like this:

/O=MYORG/OU=FIRST ADMINISTRATIVE GROUP/CN=RECIPIENTS/CN=JGREENE

How can I fix this so that the context name here is correct?  I can't find where this shows up and can be modified; and I'm not even sure if it really can.

Any help would be appreciated.  Thanks!
0
Comment
Question by:NateR78
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +2
9 Comments
 
LVL 13

Expert Comment

by:Mohamed ElManakhly
ID: 34937413
well iam not quite sure what the reason is , but i can tell you how to view this properties and edit them.using ADSIedit.msc , you have to install the support tools from the windows server CD if you are using windows 2003 in order to open the console. however be extreemly cautious when using this tool as by doing so are actually editing in the Active Directory Database.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 34937428
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 34937604

That is not an Active Directory issue. It is an Exchange issue, and the value you quoted above for JGREENE is called his legacyExchangeDN.

The legacyExchangeDN was stamped on the mailbox when it was created and you really do not want to start hacking around with ADSIEdit to change it. It is used by Outlook when users send JGREENE an email internally. Editing it would cause undelivered email bounces as the users' Outlook Autocomplete caches are not updated, as well as other issues.

Using that string to ascertain a user's actual email address isn't always a foolproof method because email addresses can and do change. My advice would be to parse the user's proxyAddresses attribute in Active Directory instead, which will contain their actual email addresses as defined in AD and Exchange.

-Matt
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 3

Accepted Solution

by:
Tommy_Cooper earned 500 total points
ID: 34941894
It is because of this exact issue that many engineers will always argue that using the "rename" function of ADU&C is not good practice.

If a user requires a rename it is often better to export the mbx and and all other details and then delete the original account and re-create a new one using the new name.

A little bit more hassle at the time, but in the long run, you know have a consistent convention of names and other attrbutes that keep your scripts simple :)
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 34942962
>> If a user requires a rename it is often better to export the mbx and and all other details and then delete the original account and re-create a new one using the new name

Definitely - but as long as you copy over the user's old legacyExchangeDN into an additional "X500" address on their new account.

Otherwise replies to messages they sent internally won't turn up, nor will the name picked from other users' Outlook autosuggest caches deliver correctly any longer.

I have also heard of people who make a new account, disable the old one but configure it to forward to the new one. Sounds too messy for my liking, but it's an alternative.

-Matt
0
 

Author Comment

by:NateR78
ID: 34943156
Thanks for the comments.  I did find the legacyExchangeDN attribute and was wondering if I should leave it as-is.  Based on the information here, I'm glad I made that decision.  I'll see how I can work around it.  @tigermatt: I will try your recommendation and use the proxyAddresses attribute, but it's going to take a little bit of work.  The problem is occurring in a VBA script in Outlook when I pull the "SenderEmailAddress" property of an Outlook.MailItem.  If there is not another suitable property available that provides this information, I'll have to build an LDAP query from the "SenderEmailAddress" property to ascertain "proxyAddresses" for each user.

I'll have to see how that goes because I'm not very well-versed in VBA LDAP queries.  Anybody here have any thoughts on how to do that or do I need to re-post in VB?
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 34943185

I'm afraid I'm not well versed in Outlook VBA (not sure about the other folks posting here though). There are certainly some very knowledgeable people over in the VB and the Outlook zone, though.

-Matt
0
 
LVL 3

Assisted Solution

by:Tommy_Cooper
Tommy_Cooper earned 500 total points
ID: 34943221
What exactly is your script trying to do? From what has been said so far, I'm thinking along the lines that you only want a users "default" or reply address?? If so, look for the AD attribute that is named "mail". This will give you one single address that is the users reply address.

Does that help? If not, tell us exactly what your script is trying to do.

I will also probably point you in the direction of the VB groups :)
0
 

Author Comment

by:NateR78
ID: 34944861
I have submitted another ticket with VB and Outlook folks, but in case you want to see the code, here it is.  I want to ascertain the primary smtp address for the user, and the "Outlook.MailItem" object has a property called "SenderEmailAddress" but it's pulling that legacyExchangeDN... I am going to have to do a custom LDAP query it seems.
Sub Helpdesk()
Dim helpdeskaddress As String
Dim objMail As Outlook.MailItem
Dim strbody As String
Dim oldmsg As String
Dim emailUser As String
Dim objItem As Outlook.MailItem

' Set this variable as your helpdesk e-mail address
helpdeskaddress = "helpdesk@company.com"

Set objItem = GetCurrentItem()
Set objMail = objItem.Forward

'get the username portion of the sender email address by parsing LDAP string
If (InStr(1, objItem.SenderEmailAddress, "CN=") > 0) Then
  emailUser = (Right(objItem.SenderEmailAddress, (Len(objItem.SenderEmailAddress) - 57))) & "@company.com"
Else
  emailUser = objItem.SenderEmailAddress
End If

'adds the senders e-mail address as the created by object for the ticket and appends the message body
strbody = "#created by " & emailUser & vbNewLine & vbNewLine & objItem.Body

objMail.To = helpdeskaddress
objMail.Subject = objItem.Subject
objMail.Body = strbody

' remove the comment from below to display the message before sending
'objMail.Display

'Automatically Send the ticket
objMail.Send

Set objItem = Nothing
Set objMail = Nothing
End Sub

Function GetCurrentItem() As Object
Dim objApp As Outlook.Application
Set objApp = Application
On Error Resume Next
Select Case TypeName(objApp.ActiveWindow)
Case "Explorer"
Set GetCurrentItem = _
objApp.ActiveExplorer.Selection.Item(1)
Case "Inspector"
Set GetCurrentItem = _
objApp.ActiveInspector.CurrentItem
Case Else
End Select
End Function

Open in new window

0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In-place Upgrading Dirsync to Azure AD Connect
Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question