Computers & ProgrammingComputers & NetworkingWindows Server

Object Naming Convention

Active Directory is an LDAP-compliant directory service. Network clients use the LDAP protocol to query Active Directory for information. Every object in Active Directory is identified by one or more names. Active Directory uses a variety of object naming conventions.

  • Distinguished Names
  • Relative Distinguished Names
  • Globally Unique Identifiers
  • User Principal Names

Distinguished Name (DN)

Every object in Active Directory has a distinguished name (DN) that uniquely identifies the object. This naming convention contains enough information for a client to retrieve information about the object.

The DN contains the complete path of where the object is located in the hierarchy. Here is an example of a DN for a user object.

CN=John Smith,OU=Users,OU=Sales,DC=itgeared,DC=com

Another example of a computer located in the Computers Container (notice that the Containers use CN, rather than OU).


In this example, you will notice that there are three LDAP abbreviations used to help identify the name and location of this object. Active Directory does not allow duplicate DNs.

  • CN – Common Name
  • OU – Organizational Unit
  • DC – Domain Component

Relative Distinguished Name (RDN)

The Relative Distinguished Name of an object is the part of the name that is an attribute of the object itself. It is the common name for the object. In the previous example, the RDN for John Smith is John Smith.

The RDN for the Organizational Unit, Users, is Users. Active Directory does not allow an RDN to be duplicated within the same container.

Globally Unique Identifier (GUID)

A Globally Unique Identifier is a 128-bit hexadecimal number that is guaranteed to be unique within the Forest. GUIDs are assigned to all objects at the time of object creation.

The GUID will never change, even if you rename the object. Nor is it changed when the object is moved among the various domains within the forest boundary.

The GUID object is needed in Active Directory because unlike Windows NT, Active Directory requires an object that can be unique in the forest. The SID can no longer provide that requirement since multiple domains can exist within the forest boundary.

User Principal Name (UPN)

The User Principal Name is also known as the “friendly” name. The UPN consists of the user account name and a domain naming suffix (generally the domain naming suffix for the domain that the user is a member of).

In the previous example, John Smith’s UPN may be [email protected]. It is possible for a user to have a UPN that includes a domain suffix that does not match the domain name where the object is located in.

This is common for organizations that have an Active Directory infrastructure with an empty root domain along with many child domains. The UPN for all of the users in the forest would use the root domain suffix.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top