Object Names and Identities

Platform SDK: Active Directory, ADSI, and Directory Services

Object Names and Identities

In Active Directory, an object has several identities:

The distinguished name (DN) is the current name of the object. This is the distinguishedName property of the object. The distinguished name is a string, formed by concatenating the relative distinguished names of the object and each of its ancestors all the way to Root. For example, the DN of the Users container in the Fabrikam.Com domain would be CN=Users,DC=Fabrikam,DC=Com. DNs are unique within a forest. An object's distinguished name changes when the object is moved or renamed.
The relative distinguished name (RDN) is the name defined by an object's naming attribute. The rDnAttID attribute of a classSchema object identifies the naming attribute for instances of the class. Most object classes use cn (Common-Name) as the naming attribute. An object's RDN must be unique in the container where the object resides. There can be many object instances with the same RDN, but no two can be in same container. For more information about the rDnAttID attribute and classSchema objects, see Characteristics of Object Classes.
The object GUID (objectGUID) is a globally unique identifier (GUID) assigned by Active Directory when the object instance is created. A GUID is a 128-bit number guaranteed to be unique in space and time. Object GUIDs never change – if an object is renamed or moved anywhere in the enterprise forest, the objectGUID remains the same. Applications that save references to Active Directory objects must use the objectGUID to be rename-safe. The distinguished name for an object might change, but the objectGUID will not.

Object instances can have many other attributes, and the attributes can be used for identification by applications. For example, security principal objects (instances of the user, computer, and group object classes) have userPrincipalName, sAMAccountName, and objectSid attributes. These attributes are very important "names" for Windows 2000 security, but these are not part of the object's identity from the directory's perspective.