Which naming conventions does Active Directory use for objects?
Active Directory (AD) uses several naming conventions for objects. These
naming conventions include the distinguished name (DN), relative distinguished
name (RDN), Lightweight Directory Access Protocol (LDAP) URL name, LDAP
canonical name, user principal name, and SAM account name.
The most popular method for naming AD objects is to use the DN. Every AD
object has a DN that uniquely identifies the object in the Directory Service
(DS). For example, the DN
identifies an object as follows:
A DN might also include an organizational unit (OU). For more information about
DNs, see RFC 1779 A String Representation of Distinguished Names.
- /O=Internet - Organization=Internet
- /DC=COM - Domain Component=COM
- /DC=SavillTech - Domain Component=SavillTech (the full Domain Component is
- /CN=Users - Common Names=Users
- /CN=John Savill - Common Names=John Savill
The RDN is also known as the friendly name. The RDN for the above
example is CN=John Savill. The RDN for the Users container is CN=Users.
LDAP URL names begin with LDAP://, then include an LDAP server and a modified
DN that identifies the object (e.g.,
An LDAP canonical name is the LDAP name without certain information (i.e.,
ou=, cn=, dc=). An example LDAP canonical name is savilltech.com/Sales/Jsavill.
Many administrative tools use these names.
The user principal name contains the username and DNS domain name, linked
with the symbol @ (e.g., firstname.lastname@example.org).
The SAM account name (e.g., savillj) is in the Windows NT 4.0 format. Because
of this nameís single-layer convention, each name must be unique within an
Objects are actually stored as globally unique IDs. A GUID is a 128-bit
number that generates at object creation and is stored in the object attribute
objectGUID. GUIDs donít change.
Windows Privacy Tools - http//www.privacywindows.com