Have you been looking for a comprehensive article about Distinguished Name (DN) in Active Directory? Look no further, as this article demystifies distinguishedName in Active Directory.
Overview
Active Directory is a directory service that stores user, group, and other information (objects). In addition to storing and managing objects, Active Directory also provides authorization, authentication, group policy administration, and more.
Talking about storing objects, every entry (object) in Active Directory has a distinguished name (DN). The DN of an object uniquely identifies it in the directory.
So, no two objects have the same DN; thus, the phrase “uniquely identifies.”
In Active Directory, A DN is a series of Relative Distinguished Names (RDN) connected by commas. In other words, a DN is made up of attribute=value pairs (RDNs), separated by commas.
So, when you combine RDNs and separate them by commas, you have a Distinguished Name (DN). Here is an example of the DN of an Active Directory object.
CN=Victor Ashiedu,OU=Writers,DC=itechguides,DC=local
Earlier, I mentioned that “a DN is made up of attribute=value pairs, separated by commas.” In the last example – “CN=Victor Ashiedu”, “OU=Writers”, “DC=itechguides” and “DC=local” – are attribute=value pairs.
Additionally, each attribute=value pair is a Relative Distinguished Name (RDN). When you combine a series of attribute=value pairs (RDNs), you create a Distinguished Name.
The table below explains the different components of an Active Directory DN.
| String | Attribute type |
|---|---|
| DC | domainComponent |
| CN | commonName |
| OU | organizationalUnitName |
| O | organizationName |
| STREET | streetAddress |
| L | localityName |
| ST | stateOrProvinceName |
| C | countryName |
| UID | userid |
How Distinguished Name (DN) in Active Directory Works
The Distinguished Name (DN) of an object in Active Directory follows a hierarchical structure. The DC (domainComponent) attribute is the highest level of the DN hierarchy.
However, since the domainComponent has two components – the domain name and its extension – the extension of the domain attribute has the highest hierarchy. This is then followed by the domain name attribute.
Continuing in that logic, if the object belongs to a container – like an OU – these attributes come next in the DN hierarchy. It is important to mention that if the object belongs to two OUs, for example, the lower level OU comes first, followed by the higher level OU.
Finally, the last attribute that comes in the Active Directory Distinguished Name hierarchy is the commonName (CN) attribute. This is the name of the object in the directory.
For example, a user’s full name or a computer name is a commonName (CN) attribute.
Features Of Distinguished Name (DN) in Active Directory
Active Directory DNs have some features that you need to be aware of. Knowing these features will equip you to manage Distinguished Names effectively.
In the previous sections of this article, I may have hinted at some of the features of DN. However, I have dedicated this section to discuss the main features of Distinguished Name.
Here are the four most important features of a Distinguished Name…
DN Attribute Values that Include a Reserved Character are Excaped with a Backslash (\)
Distinguished Name has some reserved characters. The table below lists the reserved characters.
| Reserved character | Description | Hex value |
|---|---|---|
| space or # character at the beginning of a string | ||
| space character at the end of a string | ||
| , | comma | 0x2C |
| + | plus sign | 0x2B |
| “ | double quote | 0x22 |
| \ | backslash | 0x5C |
| < | left angle bracket | 0x3C |
| > | right angle bracket | 0x3E |
| ; | semicolon | 0x3B |
| LF | line feed | 0x0A |
| CR | carriage return | 0x0D |
| = | equals sign | 0x3D |
| / | forwards slash | 0x2F |
If you use any of the above characters in a DN, you MUST escape the attribute value by prefixing it with a backslash (\).
Similarly, if an attribute value contains other reserved characters – such as the equals sign (=) or non-printable characters – you must encode it in hexadecimal. To encode equals sign (=) or non-printable characters, replace the character with a backslash followed by two hex digits.
To show how this works, let me bring back the example I used earlier in this article.
CN=Victor Ashiedu,OU=Writers,DC=itechguides,DC=local
If one of the attribute values contains one of the reserved characters, I’ll escape the value with a backslash. For example, if the name of the OU “Writers” has a command (,), next to it, I’ll escape the OU with a backslash, as shown below…
CN=Victor Ashiedu,OU=Writers\,DC=itechguides,DC=local
Relative Distinguished Names (RDNs) in a DN Follow a Hierarchy
In the overview section of this article, I introduced the table below.
| String | Attribute type |
|---|---|
| DC | domainComponent |
| CN | commonName |
| OU | organizationalUnitName |
| O | organizationName |
| STREET | streetAddress |
| L | localityName |
| ST | stateOrProvinceName |
| C | countryName |
| UID | userid |
If you combine any of the attributes with the values separated by commas, you create a Distinguished Name (DN). Here is the same example I also introduced in the overview section.
CN=Victor Ashiedu,OU=Writers,DC=itechguides,DC=local
The above Distinguished Name belongs to a user object in Active Directory. Even though you combine the attribute=value pairs to create a DN, you have to follow a specific hierarchy.
The CN (commonName) comes first. Then, if the object belongs to an OU, the organizationalUnitName (OU) attribute comes next.
Finally, you’ll have the two domainComponent (DC) attributes – the domain name and its extension. The Domain name of the objects belongs to is one attribute, while the domain’s extension – for example, com, net, or local – is another attribute value.
Distinguished Name (DN) in Active Directory Shows the Path to an Object in the Directory
As I have mentioned more than once in this article, RDN refers to a single attribute=value pair. Below is a single attribute (CN)=Value (Victor Ashiedu) pair.
CN=Victor Ashiedu
When you look at this RDN, you can tell that it is the name of an object in Active Directory. However, this information does not show you how to get to this object in the directory.
Now, when you combine the other RDNs that make up the full DN of the object, it gives you a hierarchical structure of the object in the directory.
CN=Victor Ashiedu,OU=Writers,DC=itechguides,DC=local
So, when you look at the DN of an AD object, you can tell the full path to the object in the directory. For example, I can tell that the name of the object in the above DN is “Victor Ashiedu.”
In addition to that, I can tell that the object belongs to an OU (Organizational Unit) called “Writers.” Finally, I know that the object is in the domain “itechguides.local.”
Use the DSAdd Command to Create Active Directory Objects with their Distinguished Name (DN)
You can use the dsadd.exe command line utility to add an object to Active Directory using the object’s Distinguished Name.
For example, to add a user object with the DN – “CN=Anthony Raj,OU=Writers,DC=itechguides,DC=local” – run the command below.
dsadd.exe user "CN=Anthony Raj,OU=Writers,DC=itechguides,DC=local" -samid ARaj -UPN [email protected] -pwd 3x%Y7*EDN
After I run the command, the user is added to the Writers OU. See the screenshot below.
Here is the information in the Accounts tab of the user I created with the last command.
To learn the command options of the dsadd command, run the command below.
dsadd /?
One of the information displayed shows you how to use dsadd to add specific Active Directory objects like computers, groups, OUs, and more.
How to View Distinguished Name (DN) in Active Directory
So far, I have introduced you to Active Directory Distinguished Name (DN) in the overview section of this guide. Then, I explained how DN works in a hierarchical structure.
You have also read the 4 core features of DN, including how to use DSAdd command to create an AD object using its DN.
In this section, I’ll show you five methods to view Distinguished Names (DNs) in Active Directory.
Option 1: View Distinguished Name (DN) with DSQuery
The fastest way to view the DN of an AD object is to run the Dsquery command. Before you start, you need the SamAccountName (login name) of the user you want to display its DN.
Here is a sample command that returns the Distinguished Name (DN) of a user with SamAccountName, araj.
Dsquery user -samid araj
If you do not know the full login name of the user, you can use the asterisk (*) wildcard. Here is a sample command.
Dsquery user -samid ar*
The command returns the same result…
Option 2: View Distinguished Name (DN) with PowerShell
You can also use PowerShell to display the Distinguished Name of an AD object. In the example below, I want to view the DN of the user, “Victor Ashiedu”…
(Get-ADObject -Filter {Name -eq 'victor ashiedu'}).DistinguishedName
If you want to display all properties of the user, including the user’s Distinguished Name, run the command below…
Get-ADObject -Filter {Name -eq 'victor ashiedu'} | select *
Option 3: View Distinguished Name (DN) with ADSI Edit
Another common method of viewing the DN of an AD object is via the ADSI Edit tool. To use this method, follow the steps below.
- Open ADSI Edit by searching for it on a Windows AD server or a Windows 10 or Windows 11.
- When ADSI Edit opens, navigate to the object, then right-click it and select Properties.
- Then, when the object’s Properties open, locate distinguishedName and double-click to open it. ADSI Edit displays the object’s Active Directory Distinguished Name (DN) in the Value property – see the second screenshot below.
Option 4: View Distinguished Name (DN) with Active Directory Users and Computers (ADUC)
The default view of Active Directory Users and Computers doesn’t have the option to view object attributes which include the DN. So, the first step to use ADUC to view objects DN is to enable the Advanced feature of ADUC.
Follow the steps below to enable the Advanced feature of ADUC and view DN of AD objects.
- Open Active Directory Users and Computers. Then, click the View menu and select Advanced Feature.
- Next, right-click the object you want to view its DN and select Properties.
- Then, when the object’s properties open, click the Attribute Editor tab.
- Finally, to view the Distinguished Name of the Active Directory, locate the locate distinguishedName and double-click to open it. ADUC displays the Distinguished Name of the object in the Value property – see the second screenshot below.
Option 5: View Distinguished Name (DN) with Active Directory Administrative Center
You can also view Distinguished Name from Active Directory Administrative Center.
- Open Active Directory Administrative Center
- Then, when Active Directory Administrative Center opens, locate the object you want to view its DN, right-click the object and select Properties.
- When the object’s properties opens, click Extensions on the left pane.
- Then, click the Attribute Editor tab.
- Finally, locate the distinguishedName attribute and double-click it.
Frequently Asked Questions
In an LDAP directory like Active Directory, a Distinguished Name uniquely identifies an object in the directory. So, since DNs are unique, no two objects will have the same DN.
An example of a Distinguished Name is:
CN=Anthony Raj,OU=Writers,DC=itechguides,DC=local
CN=Anthony Raj is the commonName (CN) – usually the name of the object
OU=Writers is the OU name the object (Anthony Raj) belongs
DC=itechguides is the domain name domainComponent (DC) of the domain the object belongs
DC=local is also the domainComponent (DC) of the object’s DN. However, this component is the domain name extension like com, local, net.
The fastest way to find the DN of an object in Active Directory is to open the object’s properties in the ADSI Edit tool. Then, locate the distinguishedName attribute and double-click it.
CN, OU, and DC are 3 of the common attributes Active Directory uses to define an object’s Distinguished Name (DN).
In Distinguished Name (DN) naming syntax, CN means commonName; which is the name of an object in Active Directory.
OU stands for organizationalUnitName. This is the Organizational Unit the object with the DN belongs.
Finally, the DC stands for domainComponent of the object’s DN.
The domainComponent (or DC) represents the domain name as one attribute=value pair while the domain’s extension – for example, com – is the second domainComponent of the object’s DN.
In Distinguished Name (DN) naming syntax, CN (commonName) is the name of the object. On the contrary, OU stands for Organizational Unit, which Active Directory uses to organize objects, apply Group Policies, and manage permissions.
An example of a CN (commonName) is a user’s display name. If you have been working with AD, you know that a user can belong to an Organizational Unit (OU).
In terms of Distinguished Name hierarchy, OU is higher than CN.
Conclusion
Distinguished Name is one of the “hidden” attributes of objects in Active Directory. I refer to DN as “hidden” because most AD newbies will not come across it, and even when they do, it is a “mysterious” property.
For example, compared to the name of an object, its DN is less known and understood. However, even though this AD object’s feature is not in the “open,” it is an important attribute of an AD object.
As you read in this guide, in Active Directory, a DN uniquely identifies objects in the directory. Additionally, an object’s Distinguished Name is a collection of Relative Distinguished Names (RDNs) connected by commas.
Talking about RDNs, they’re made up of attribute=value pairs. When you combine RDNs and separate them with commas, you create a Distinguished Name.
I hope you found this guide helpful and easy to follow. If you did, click on “Yes” beside the “Was this page helpful” question below.
You may also express your thoughts and opinions by using the “Leave a Comment” form at the bottom of this page.
Finally, to read more Active Directory guides, visit our Active Directory Guides page.
