Names for Objects in Active Directory
One of the biggest confusions with Active Directory is the many "names" that
can be used to refer to or describe an object. Most of these "names" are attributes
(or properties) of the object. There is even a property method called "Name". A
Property Method is actually a method (a function) that calculates a value from other properties.
Note that the terms "attribute" and "property" are interchangeable. The
name of a property or attribute is like the name of a variable. The actual value of the property
can be assigned by the network administrator, or sometimes by the system.
Some of the confusion arises because the same attribute can have a different name depending on the
provider used. Even worse is that sometimes the same attribute name can refer to a different
attribute, depending on the provider. The following table attempts to clarify the situation.
| Active Directory Attribute | WinNT property | LDAP property |
| SAM-Account-Name | name | sAMAccountName |
| Common-Name | n/a | cn |
| RDN | n/a | Name |
| Display-Name | fullName | displayName |
| Surname | n/a | sn |
| Given-Name | n/a | givenName |
| Initials | n/a | initials |
| Moniker | n/a | moniker |
| Personal-Title | n/a | personalTitle |
| Generation-Qualifier | n/a | generationQualifier |
| User-Principal-Name | n/a | userPrincipalName |
| Obj-Dist-Name | n/a | distinguishedName |
| n/a | AdsPath | n/a |
| n/a | n/a | AdsPath |
The "Name" property of the WinNT provider is sometimes called the "NT Name",
because it is the name used in NT networks. The WinNT "Name" property of a user object
is the pre-Windows 2000 logon name. The LDAP provider calls this attribute "sAMAccountName".
The value can be the same as the value assigned to the LDAP "cn" attribute, but it
does not have to be. This can be a major source of confusion. You cannot retrieve the "cn"
attribute with the WinNT provider.
The "Name" property method of the LDAP provider is the same as the "cn"
property, but with the string "cn=" appended in front. For example,
if cn = "TestUser", then Name = "cn=TestUser". The "Name" property
method returns the Relative Distinguished Name (RDN) of the object.
The same attribute called "FullName" using the WinNT provider is called
"displayName" using LDAP. Many of the other attributes used to identify
users are only exposed by the LDAP provider.
Both providers expose an "ADsPath" attribute, but this is actually a
"Property Method". It is the binding string used to bind to the object with the
provider. The LDAP provider also exposes a "distinguishedName" attribute. It is the
same as "AdsPath", but without the provider moniker ("LDAP://") in the
string. The "distinguishedName" property of an object might be something like
"cn=TestUser,ou=Sales,dc=MyDomain,dc=com". It uniquely specifies the object in
Active Directory. It includes the Relative Distinguished Name of the object, plus the full
path to the container holding the object in Active Directory.
The "userPrincipalName" is an alternative name for the user to logon with.
It is in the form "LogonName@DNSDomain". For example, it could be
"Joe User@MyDomain.MyCompany.com". This attribute is not always assigned a
value in Active Directory.
The only attributes in the table above that are mandatory are "SAM-Account-Name"
and "Common Name". If a user object is created with the LDAP provider, values must
be specified for both "cn" and "sAMAccountName". If a user object is
created with the WinNT provider, only the "Name" attribute is specified
("SAM-Account-Name"), but "Common Name" is automatically assigned to the
same value. If a user object is created in the "Active Directory Users and Computers" MMC,
the names default as follows. You specify the "First Name", "Initials",
and "Last Name" of the user (the "givenName", "initials",
and "sn" attributes). The field labeled "Full Name" defaults to be
<givenName> <initials>. <sn>. This string is assigned to the "cn" attribute
(Common Name). You are allowed to overwrite the default. The fact that the cn attribute is
referred to as "Full Name" is another source of confusion. In the
"New Object – user" dialog you are also required to specify a "User logon name".
This, in combination with the DNS domain name, becomes the "userPrincipalName".
Finally, as you key in "User logon name", the field "pre-Windows 2000 logon name"
is filled in for you with the first 20 characters of "User logon name". This becomes
the "sAMAccountName" attribute.
The full NT name of an Active Directory object is in the form "NetBIOSDomain\sAMAccountName".
An example could be:
MyDomain\TestUser
The full LDAP name of the same object could be specified by:
cn=Test1,ou=Sales,ou=East,dc=Domain1,dc=com
As you can see, the "sAMAccountName" attribute does not have to be the same as the
"cn" attribute. In addition, the DNS domain name (Domain1.com above) does not have to
match the NetBIOS domain name (MyDomain above). This can make "finding" objects in
Active Directory difficult. Fortunately, the NameTranslate object is generally available to
convert names between these two forms.
It should be noted that the sAMAccountName attribute of any object must be unique in the domain.
The userPrincipalName must be unique in the forest. However, the cn attribute (common name) must
only be unique in the container or organizational unit. There can be several objects with the
same cn, as long as they are in different containers. Note, however, that the distinguishedName
will always be unique in the forest.
A final concept to discuss is the relative distinguished name, abbreviated RDN. For a user
object, this is the common name (cn) attribute. The Name property method returns the RDN.
The RDN of any object is the first part of the distinguishedName, abbreviated DN, of the object.
For example, if the DN of a computer object is:
cn=Minnesota,cn=computers,dc=MyDomain,dc=com
Then, the RDN is "cn=Minnesota".
A few naming abbreviations:
| cn | Common Name |
| ou | Organizational Unit |
| dc | Domain Component |
| dn | Distinguished Name |
| RDN | Relative Distinguished Name |
| UPN | User Principal Name |