Re: nt4 domain to W2k3 AD

Don wrote:

We recently upgraded out nt4 domain to 2k3 AD. We upgraded the pdc and
then added new 2k3 servers, transferred fmso roles and removed the
original server. I have since noticed that the 1500+ users which existed
prior to the upgrade have no ad username. They only have the
pre-windows2000 username. This hasn't seemed to effect anything, but I'm
concerned that it may in the future. I am currently planning on upgrading
the functionality level from compatibility to 2k3. Does anyone know how
this user account issue effect this?

Hi,

This issue shouldn't affect upgrading the level. Every user account in AD
has at least two "name" attributes. The "Pre-Windows 2000 logon name", also
called the NT name, corrsponds to the sAMAccountName attribute of the user
object. This is a mandatory attribute, must be unique in the domain, and is
limited to 20 characters. Also, each user must have a Common Name (the value
of the cn attribute), which is the "Relative Distinguished Name". It must be
unique in the container/OU where the user object resides. In ADUC, the
column labeled name is the Common Name.

There are other "name" attributes, so one of these must be missing for your
users. The userPrincipalName is generally in the form NTName@xxxxxxxxxxxx,
where NTName is the sAMAccountName. In ADUC this name is on the Account tab
and is called User Logon Name. I have seen the value be blank. The value
must be unique in the domain. Users can logon with their userPrincipalName.
On the General tab in ADUC is a field called "Display Name" (value of the
displayName attribute), which was called "FullName" in NT. This can also be
missing.

Each user object has a distinguishedName attribute, which uniquely
identifies the object in AD. This is constructed from the Common Name (cn,
which is the Relative Distinguished Name) and components representing where
in the heirarchy of AD the object resides (that is the Distinguished Name of
the parent container). No need to worry about this. Every object in AD has
it.

Other "name" attributes of less importance are givenName (first name), sn
(surname or last name), and initials (middle initial or name).

The whole issue of the "name" of an object in AD can be confusing. Bottom
line, your users must have values for cn and sAMAccountName (and
distinguishedName). The others are optional.

--
Richard
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net


.

Relevant Pages

  • Re: There is no such object on the server
    ... I get a Windows Script Host error ... The Common Name is shown in ADUC in a field ... you can retrieve the value of the distinguishedName attribute ...
    (microsoft.public.scripting.vbscript)
  • Re: Moving Multiple users from many differnt OUs at once
    ... names are NT Names (or the NT Name values are always the same as the Common ... ' Specify the NetBIOS name of the domain and the NT name of the user. ... If "Test Accnt1" is the common name, then we have to use ADO to search AD ... will be cn, sAMAccountName, or distinguishedName. ...
    (microsoft.public.windows.server.scripting)
  • Re: distinguishedName contains a backslash char
    ... including ADUC on Windows 2000 ADUC with certain specific domain configurations. ... Joe Richards Microsoft MVP Windows Server Directory Services ... >>>distinguishedName is built from, ... so they get escaped by the backslash to ...
    (microsoft.public.windows.server.active_directory)
  • Re: Error Message when running script
    ... The Common Name of the ... Edit to browse objects and their properties, such as distinguishedName. ... Microsoft MVP Scripting and ADSI ... escaped with the backslash, "\", escape character. ...
    (microsoft.public.windows.server.scripting)
  • Affecting the creation of DN, cn, name of an userobject
    ... I'm creating AD-users with E2003-mailboxes in a bulk. ... 'cn' and part of the 'distinguishedName' allways be created in this ... What is the difference to ADUC?? ...
    (microsoft.public.scripting.vbscript)
Loading