Have you Seen the CN abbreviation in Active Directory and wondered whether it means canonicalName vs commonName? This article explains and compares canonicalName (CN) vs commonName (CN).
Overview
There are two AD attributes abbreviated as CN. The first one is canonicalName, while the second is commonName.
Starting with canonicalName (CN) – this is the name of an Active Directory object in canonical format. The canonicalName (CN) of an AD object shows the full path to the object, separated by a forward slash (/).
Furthermore, a canonicalName starts with the Fully Qualified Domain (FQDN) name of the object’s domain. After specifying the FQDN of the object’s domain, the name of the object’s container follows.
Finally, the CN of an object will specify the name of the object. An example of the CN (canonicalName) of an Active Directory object is…
itechguides.local/Writers/Anthony Raj
Another attribute of an AD object abbreviated as CN is commonName. The commonName (CN) of an Active Directory object is part of the object’s Distinguished Name.
The commonName (CN) attribute of an AD object is the name of the object in the directory. An example of an AD object’s Distinguished Name that contains its CN (commonName) is…
CN=Anthony Raj,OU=Writers,DC=itechguides,DC=local
How CN (canonicalName vs commonName) in Active Directory Works
An AD object’s commonName (CN) is the last element in the object’s Distinguished Name (DN) hierarchy. On the contrary, the canonicalName (CN) of an Active Directory object is the name of the object in a canonical format.
Both commonName and canonicalName uniquely identify an object in Active Directory. The difference lies in the way they present the name.
Before I proceed, I like to mention that the commonName (CN) part of an object’s Distinguished Name (DN) is one of the object’s Relative Distinguished Names (RDNs).
AD defines the Relative Distinguished Name (RDN) of an object in an attribute=value pair. An example of an AD object’s commonName (CN) of an object is…
CN=Anthony Raj
In this example, the attribute of the RDN is CN, while its value is Anthony Raj. Furthermore, when you add the other RDNs of the object and separate them with a comma, you create the object’s DN.
Essentially, an object’s DN starts with its CN (commonName) and ends with its domain name.
CN=Anthony Raj,OU=Writers,DC=itechguides,DC=local
Contrast this with an object’s canonicalName which starts with the object’s domain name and ends with its name.
itechguides.local/Writers/Anthony Raj
Features Of CN (canonicalName vs commonName) in Active Directory
To further understand the two CN attribute abbreviations of an Active Directory object, this section compares their features.
canonicalName Gives the Full Path to an AD Object, While commonName Gives Just the Object’s Name
The first major difference between canonicalName vs commonName (CN) is the way they name an Active Directory object.
canonicalName is a full name of an object starting from the root of the domain and ending at the object’s name. So, canonicalName gives you information about the full path to an AD object.
On the contrary, commonName gives some just the name of the object. So, without the full DN of an object, you cannot use its commonName to determine where it is located in the Active Directory hierarchy.
The first example below is the canonicalName of an AD user, “Anthony Raj”. Meanwhile, the second example is the same user, but this time, it is presented in the commonName format.
itechguides.local/Writers/Anthony Raj
CN=Anthony Raj
As I explained earlier, the canonicalName of the object – itechguides.local/Writers/Anthony Raj – tells me the full path to the object in the directory.
However, the commonName – CN=Anthony Raj – gives me just the name. To see the full path to the object, I need to see its DN (Distinguished Name).
CN=Anthony Raj,OU=Writers,DC=itechguides,DC=local
canonicalName Starts Naming from the Root of the Domain, While commonName Starts Naming from the Object
This is another important difference between canonicalName vs commonName (CN) in Active Directory. If you look at the canonicalName below, it starts with the domain name that the object belongs.
itechguides.local/Writers/Anthony Raj
On the contrary, if you consider the commonName (part of a DN) below, the commonName (CN) of the object comes first, then it ends with the domain name the object belongs.
CN=Anthony Raj,OU=Writers,DC=itechguides,DC=local
canonicalName is Separated by Forwards Slash (/) While DN is Separated by Comma (,)
An Active Directory object’s Distinguished Name (which includes its commonName), is separated by a comma. Here is the example we used earlier in this article.
CN=Anthony Raj,OU=Writers,DC=itechguides,DC=local
As you can see, each part of the DN is separated by commas (,). Also, each attribute is paired to a value with an equal sign.
For example, “CN=Anthony Raj.”
On the contrary, the naming convention used by the canonicalName is less complicated.
itechguides.local/Writers/Anthony Raj
To name an object with the canonicalName format, all you need are the elements of the name. Then, separate them with a forward slash (/).
The Domain Extension and the Domain Name Itself are Separate Values in DN, While They’re Treated as One Value in canonicalName
Another very important distinction between canonicalName vs commonName (CN) in Active Directory is the way the naming conventions treat the domain part of the object’s name.
The canonicalName below specifies “itechguides.local” – the Fully Qualified Domain Name of the domain – as a single entity.
itechguides.local/Writers/Anthony Raj
However, an object’s DN (of which its commonName is part) treats the domain name and its extension as separate entities. Let’s revisit our previous example.
CN=Anthony Raj,OU=Writers,DC=itechguides,DC=local
The DC in the DN above means domainComponent. If you look closely, you see that there are two DC values.
One of them is “DC=itechguides.” This attribute defines the name of the domain.
There is also the “DC=local” (most live AD domains will use “com”). This portion of the object’s DN defines the domain extension.
Once again, this makes Distinguished Name (DN) more complicated than canonicalName.
How to View CN (canonicalName vs commonName) in Active Directory
In this article, you have read an overview comparing the two AD CNs (canonicalName vs commonName). You have also read how they work and their features.
In this section, I’ll show you two methods to view canonicalName vs commonName (CN) in Active Directory.
Option 1: View CN (canonicalName vs commonName) In Active Directory with Active Directory Users and Computers (ADUC)
You can view the canonicalName and commonName attributes of an AD object with ADUC. Follow the steps below to accomplish this task.
- Open Active Directory Users And Computers. Then, click the View menu and select Advanced Features.
- Once you have enabled the Advanced Features in Active Directory Users and Computers, locate the object you want to view its CN (canonicalName or commonName). Then, right-click it and select Properties.
- Finally, to view the object’s canonicalName, click the Object tab.
- ADUC will display the object’s canonicalName.
- To display the object’s commonName, click the Attribute Editor tab.
- Then, on the Attribute Editor tab, locate the distinguishedName attribute. You can view the object’s commonName (CN) as part of its distinguishedName.
Option 2: View CN (canonicalName vs commonName) in Active Directory with PowerShell
Another method to view the canonicalName and commonName of an object is via PowerShell. Follow the steps below to view the two CNs of an Object in Active Directory.
- Search for an open PowerShell.
- To get the object’s Distinguished Name, run the command below.
$dn = (Get-ADObject -Filter {Name -eq 'victor ashiedu'}).DistinguishedName
- Then, to return the object’s canonicalName (CN), run the command below.
get-adobject -filter {distinguishedname -eq $dn} -properties canonicalName
The above command returns the canonicalName (CN), as well as other attributes of the Active Directory object. If you want to return only the object’s canonicalName, run the command below instead.
(get-adobject -filter {distinguishedname -eq $dn} -properties canonicalName).CanonicalName
The screenshot below shows the results of the commands.
Moving on to displaying an AD object’s commonName, earlier, I saved the DistinguishedName of the object in a $dn variable.
I can retrieve the object’s commonName from the DistinguishedName saved in the $dn variable. To return the commonName (CN) of an Active Directory object from its DistinguishedName, run the command below.
($dn -split (","))[0]
Frequently Asked Questions
CN could stand for canonicalName or commonName. The canonicalName name of an AD object is the name in the canonical format.
Here is an example of an AD object’s canonicalName:
itechguides.local/Writers/Anthony Raj
On the other hand, OU stands for Organizational Unit. OU is a type of container that Active Directory uses to organize objects like users and computers.
Although CN has two meanings – canonicalName or commonName – you can find both CNs from an object’s properties in Active Directory Users and Computers.
Firstly, open Active Directory Users and Computers. Then, click View and select Advanced Features.
Finally, right-click your user object and select Properties. Finally, to see your canonicalName, click the Object tab.
Alternatively, to see your commonName, click the Attribute Editor tab. Then, locate distinguishedName.
Your commonName is the first item in the distinguishedName attribute. It will start with “CN=”
CN (canonicalName or commonName) uniquely identifies an object in Active Directory. However, while canonicalName displays an object in the canonical format, commonName forms part of the object’s distinguishedName.
The canonical Name of an Active Directory object names the object in a canonical format. It shows the full path of the object in the directory, starting with the FQDN of the AD domain.
Here is an example of an AD object’s canonicalName:
itechguides.local/Writers/Anthony Raj
In Active Directory, a Container is any object that can have child objects. A good example of a container is an OU (Organizational Unit).
It is a container because you can add other objects – like Users and computers – to an OU.
My Final Thoughts
CN has two meanings in Active Directory. It could mean canonicalName or commonName.
The canonicalName (CN) of an Active Directory is the name of the object in a canonical format. An example of a canonicalName is…
itechguides.local/Writers/Anthony Raj
In comparison, the commonName (CN) of an Active Directory object is the stand-alone name of the object that makes up the object’s distinguishedName.
An example of a commonName (CN) is…
CN=Anthony Raj
Meanwhile, an example of an object’s distinguishedName (which includes the object’s commonName is…
CN=Anthony Raj,OU=Writers,DC=itechguides,DC=local
I hope you found this comprehensive guide helpful in understanding Active Directory CN (canonicalName vs commonName). If you found the article helpful, click on “Yes” beside the “Was this page helpful” question below.
You may also express your thoughts and opinions by using the “Leave a Comment” form at the bottom of this page.
Finally, why not expand your Active Directory knowledge further with our other Active Directory Guides?
