Thursday, April 24, 2008

AD Abbreviations Active Directory Attribute WinNT property LDAP property

http://www.rlmueller.net/Name_Attributes.htm

Names for Objects in Active Directory
One of the biggest confusions with Active Directory is the many “names” that can be used to refer to or describe an object. Most of these “names” are attributes (or properties) of the object. There is even a property method called “Name”. A Property Method is actually a method (a function) that calculates a value from other properties.

Note that the terms “attribute” and “property” are interchangeable. The name of a property or attribute is like the name of a variable. The actual value of the property can be assigned by the network administrator, or sometimes by the system.

Some of the confusion arises because the same attribute can have a different name depending on the provider used. Even worse is that sometimes the same attribute name can refer to a different attribute, depending on the provider. The following table attempts to clarify the situation.

The “Name” property of the WinNT provider is sometimes called the “NT Name”, because it is the name used in NT networks. The WinNT “Name” property of a user object is the pre-Windows 2000 logon name. The LDAP provider calls this attribute “sAMAccountName”. The value can be the same as the value assigned to the LDAP “cn” attribute, but it does not have to be. This can be a major source of confusion. You cannot retrieve the “cn” attribute with the WinNT provider.

The “Name” property method of the LDAP provider is the same as the “cn” property, but with the string “cn=” appended in front. For example, if cn = “TestUser”, then Name = “cn=TestUser”. The "Name" property method returns the Relative Distinguished Name (RDN) of the object.

The same attribute called “FullName” using the WinNT provider is called “displayName” using LDAP. Many of the other attributes used to identify users are only exposed by the LDAP provider.

Both providers expose an “AdsPath” attribute, but this is actually a “Property Method”. It is the binding string used to bind to the object with the provider. The LDAP provider also exposes a “distinguishedName” attribute. It is the same as “AdsPath”, but without the provider moniker (“LDAP://”) in the string. The “distinguishedName” property of an object might be something like “cn=TestUser,ou=Sales,dc=MyDomain,dc=com”. It uniquely specifies the object in Active Directory. It includes the Relative Distinguished Name of the object, plus the full path to the container holding the object in Active Directory.

The “userPrincipalName” is an alternative name for the user to logon with. It is in the form “LogonName@DNSDomain”. For example, it could be “Joe User@MyDomain.MyCompany.com”. This attribute is not always assigned a value in Active Directory.

The only attributes in the table above that are mandatory are “SAM-Account-Name” and “Common-Name”. If a user object is created with the LDAP provider, values must be specified for both “cn” and “sAMAccountName”. If a user object is created with the WinNT provider, only the “Name” attribute is specified (“SAM-Account-Name”), but “Common Name” is automatically assigned to the same value. If a user object is created in the “Active Directory Users and Computers” MMC, the names default as follows. You specify the “First Name”, “Initials”, and “Last Name” of the user (the “givenName”, “initials”, and “sn” attributes). The field labeled “Full Name” defaults to be . . This string is assigned to the “cn” attribute (Common Name). You are allowed to overwrite the default. The fact that the cn attribute is referred to as “Full Name” is another source of confusion. In the “New Object – user” dialog you are also required to specify a “User logon name”. This, in combination with the DNS domain name, becomes the “userPrincipalName”. Finally, As you key in “User logon name”, the field “pre-Windows 2000 logon name” is filled in for you with the first 20 characters of “User logon name”. This becomes the “sAMAccountName” attribute.

The full NT name of an Active Directory object is in the form “NetBIOSDomain\sAMAccountName”. An example could be:

MyDomain\TestUser

The full LDAP name of the same object could be specified by:

cn=Test1,ou=Sales,ou=East,dc=Domain1,dc=com

As you can see, the “sAMAccountName” attribute does not have to be the same as the “cn” attribute. In addition, the DNS domain name (Domain1.com above) does not have to match the NetBIOS domain name (MyDomain above). This can make “finding” objects in Active Directory difficult. Fortunately, the NameTranslate object is generally available to convert names between these two forms.

It should be noted that the sAMAccountName attribute of any object must be unique in the domain. The userPrincipalName must be unique in the forest. However, the cn attribute (common name) must only be unique in the container or organizational unit. There can be several objects with the same cn, as long as they are in different containers. Note, however, that the distinguishedName will always be unique in the forest.

A final concept to discuss is the relative distinguished name, abbreviated RDN. For a user object, this is the common name (cn) attribute. The Name property method returns the RDN. The RDN of any object is the first part of the distinguishedName, abbreviated DN, of the object. For example, if the DN of a computer object is:

cn=Minnesota,cn=computers,dc=MyDomain,dc=com

Then, the RDN is “cn=Minnesota”.

A few naming abbreviations:

cn Common Name
ou Organizational Unit
dc Domain Component
dn Distinguished Name
rdn Relative Distinguished Name
upn User Principal Name

No comments: