Active Directory user names: why does the canonical name vary? Can I do something to make them uniform

active-directorywindows-server-2003windows-server-2008-r2

I am a self-taught administrator of a work Active Directory network used for Windows logins on ~30 PCs. I inherited the system from someone else who also didn't have any direct Microsoft training and as a result I am in the dark on a couple things.

The network itself has a single Windows Server 2008 R2 machine acting as domain controller, DNS, file shares, etc. Logins work fine, but I was poking around the list of users while disabling old accounts and I noticed something I don't quite understand.

Here are a couple sample user accounts:

  1. Logon Name: john
    First Name: John
    Last Name: Smith
    Display Name: John Smith
    Canonical Name of Object: domain.com/Users/john

  2. Logon Name: bob
    First Name: Bob
    Last Name: French
    Display Name: Bob French
    Canonical Name of Object: domain.com/Users/Bob French

The current domain controller was swapped in from another one that used to run Windows Server 2003. The first sample account was created when the Server 2003 box was DC, the second was created when the newer Server 2008 R2 box was DC. Why is the Canonical Name different, and does it make any difference?

I'm mostly annoyed by the fact that my users list in the active directory browser has half the accounts as 'firstname' and half as 'firstname lastname'.

Can I do something to make all of them the same without breaking working accounts?

Best Answer

Active Directory does not really concern itself with how the User account object's RDN (the last part of the Canonical Name) relates to other properties like the Display Name or the Logon Name - as long as the value of each individual attribute doesn't violate the schema definition.

The behavior of the "New User" form in Active Directory Users and Computers (as well as a number of other dialogues) has changed significantly between Windows Server 2003 and Windows Server 2008 R2 - and that's probably why they're not consistent

You can use PowerShell to move the non-system accounts, and then go through the users and rename them to whatever their Display Name is:

# Create new OU named RegularUsers
New-ADOrganizationalUnit -Name RegularUsers -Path "dc=domain,dc=com"

# Retrieve all users that are not critical system objects
$users = Get-ADUser -SearchBase "CN=Users,DC=domain,DC=com" -SearchScope OneLevel -Filter {-not(isCriticalSystemObject -like '*')}

# Go through each and move to the new OU
foreach($user in $users){
    Move-ADObject $user -TargetPath "OU=RegularUsers,DC=domain,DC=com"
}

# Retrieve all users in the new OU
$movedUsers = Get-ADUser -SearchBase "CN=Users,DC=domain,DC=com" -SearchScope OneLevel -Filter '*'

foreach($user in $movedUsers){
    # Test if Display Name and object Name is the same, if not - rename
    if($user.DisplayName -ne $user.Name)
    { 
        Rename-ADObject $user -NewName "$($user.DisplayName)" 
    }
}

For the first step, you could also just highlight all the user accounts in ADUC and drag-n-drop them to another location.

Related Topic