Tuesday, April 22, 2014

Distinguished Name construction in Active Directory

So, we know that distinguished names must be unique within Active Directory, but an often overlooked aspect of user provisioning within an enterprise is OU structure. Let me explain by example:

Lets say you have two OUs named 'PreSalesTeam' and 'PostSalesTeam'

The PreSales Team recruits a sales person called 'John Smith', his account is created in the PreSalesTeam OU so his distinguished name is:

CN=John Smith,OU=PreSalesTeam,DC=OurDomain,DC=ORG

Then, the PostSales Team recruits a different person called 'John Smith', his account is created in the PostSalesTeam OU so his distinguished name is:

CN=John Smith,OU=PostSalesTeam,DC=OurDomain,DC=ORG

There is nothing wrong with this, and Active Directory is perfectly happy. However, six months later John Smith in the PreSales Team transfers to the PostSales Team and we try to move the user from one OU to another. Well it sounds obvious, but by moving the object we are changing their distinguished name and when it arrives it will no longer be unique, so actually Active Directory will prevent you doing that.

This is a slightly philosophical discussion, but means that your user provisioning team might need to think about first and last names combos being unique in the domain even though Active Directory doesn't make you do that.

Cheers!

No comments:

Post a Comment