Identifying Objects in Microsoft Active Directory

Microsoft Windows Server, , , ,

Identity

GUIDs

To be able to uniquely identify objects in Active Directory, Microsoft uses a 128-bit Globally Unique Identifier or GUID. You should note that if you move an object in your AD tree, or even if you rename the object inside of Active Directory, this GUID remains unchanged. There is one important exception to this, and that would be a move across a forest to another forest using something like the Active Directory Migration Tool (ADMT). This situation does not preserve the GUID.

Distinguished Names

We humans are certainly not going to work with GUIDs to identify objects in AD. Fortunately, there is another method of identification called distinguished names (DN). This approach is actually referenced in the LDAP specifications. The DN provides a nice hierarchical path to the object in addition to names. For example, we might have a domain of labs.cbtnuggets.com. The DN would be:

dc=labs,dc=cbtnuggets,dc=com

We also have relative distinguished names (RDN) to identify the object in a parent container. For example, consider this DN:

cn=Admin,cn=Users,dc=cbtnuggets,dc=com

The RDN would be:

cn=Admin

Attribute Types

Notice from our examples above there is an Attribute Type as part of the DN. Here is a list of these Attribute Types:

  • CN = Common Name
  • L = Locality Name
  • ST = State or Province Name
  • O = Organization Name
  • OU = Organizational Unit Name
  • C = Country Name
  • STREET = Street Address
  • DC = Domain Component
  • UID = User ID

AD uses CN, L, O, OU, C, and DC.
Pearson Education (InformIT)

Leave a Reply

Your email address will not be published. Required fields are marked *