AD Attribute query!

Discussion in 'Active Directory' started by UselessUser, Jun 25, 2009.

  1. UselessUser

    UselessUser Guest


    We have a large group, which recently needed major editing, so I handed it
    over to another person who asked me a very simple question..

    How come when looking at this group, members appeared as one of these types:

    Firstname Surname

    And I had no idea, after a bit of study, it looks like ADUC exposes members
    by the Full Name (or Name attribute) of their accounts.

    The real question is, how come if they have been created using the normal
    Firstname and Lastname options in ADUC, and the full name is generated
    automatically from these and is not changed, how do some people have the:


    I think some of these are old users, so may have been migrated from an NT4
    domain, would this cause this?

    Also is there any damage (Relating to AD and Exchange etc) of running a
    script on these accounts to rename the name attribute to firstname lastname??
    UselessUser, Jun 25, 2009
    1. Advertisements

  2. UselessUser

    Marcin Guest

    FirstName LastName happens to be the default format of Full Name entry in
    ADUC (as per The article also
    provides instructions on how to change this default format for any future
    accounts (btw. you can find a script that changes this format at - although you'd need to modify it
    to match the naming convention you want to use). Without knowing how the
    other accounts were created, it is rather difficult to speculate why their
    Full Name is different - this could have happened in a number of different
    ways (account migration is one of them)...
    I'd not expect any negative implications, as long as you modify this
    particular attribute only - but obviously you should test it with one
    non-critical account first before you apply changes en masse...

    Marcin, Jun 25, 2009
    1. Advertisements

  3. UselessUser

    UselessUser Guest


    Thanks for the reply, I understand that by setting the 409 attribute for new
    users, it amends the dialog box at account creation so it becomes surname,
    firstname, and as display name is taken from that by default, display name in
    GAL will be surname, firstname as well..

    However the script underneath it, only adjusts the display name, it does not
    touch the fullname (Or name attribute), so in AD old users will appear as
    firstname surname, whilst new users will appear as surname, firstname...

    I have seen ADMODIFY has a change CN (RDN) option, which I think sets the
    name attribute and CN attributes to surname, firstname so then AD would also
    all match up but am worried about any problems of doing this?
    UselessUser, Jun 25, 2009
  4. UselessUser

    Marcin Guest

    Marcin, Jun 25, 2009
  5. To best of my knowledge, the only issues with renaming (changing the cn
    attribute) are:

    1. The value must be unique in the OU/Container. The same value can be used
    elsewhere, such as in another OU.
    2. The value cannot be longer than 64 characters.
    3. The following characters must be escaped using the backslash escape
    character, "\":

    , \ # + < > ; " =

    Also, leading and trailing spaces must be escaped, but not embedded spaces.
    Also, if you are using ADSI (for example, VBScript uses ADSI), the forward
    slash character, "/" must also be escaped.

    Renaming does not affect group memberships or permissions.
    Richard Mueller [MVP], Jun 25, 2009
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.