This page explains the common LDAP attributes which are used in vbs scripts. Programs like VBScript (WSH), CSVDE and LDIFDE rely on these LDAP attributes to create or modify objects in Active Directory. For example, when you bulk import users you will include the
LDAP attributes: dn and sAMAccountName.
* LDAP is the Lightweight Directory Access Protocol.
As the word 'distinguished' suggests, this is THE LDAP attribute that uniquely defines an object. Each DN must have a different name and location from all other objects in Active Directory. The
other side of the coin is that DN provides a way of selecting any object in Active Directory. Once you have select the object, then you can change its attributes.
Time spent in getting to know the DN attribute will repay many fold. Observe the different components CN=common name, OU = organizational unit. DC often comes with two entries, DC=CP, DC=COM.
Note that DC=CP.COM would be wrong. Incidentally in this situation, DC means domain content rather than domain controller.
Another point with the syntax is to check the speech marks; when used with VBScript commands, DN is often enclosed in "speech marks". Even the speech marks have to be of the right type, "double quotes
are correct", 'single quotes may be ignored' with unpredictable results. Finally, pay particular attention to commas in distinguished names.
CN=Guy Thomas. Actually, this LDAP attribute is made up from givenName joined to SN.
What you see in Active Directory Users and Computers. Not to be confused
with displayName on the Users property sheet.
displayName = Guy Thomas. If you script this property, be sure you understand which field you are configuring. DisplayName can be
confused with CN or description.
DN - also distinguishedName
DN is simply the most important LDAP attribute. CN=Jay Jamieson, OU= Newport,DC=cp,DC=com
Firstname also called Christian name
Home Folder : connect. Tricky to configure
name = Guy Thomas. Exactly the same as CN.
Defines the Active Directory Schema category. For example, objectClass = Person
objectClass = User. Also used for Computer, organizationalUnit, even
container. Important top level container.
Office! on the user's General property sheet
Roaming profile path: connect. Trick to set up
sAMAccountName = guyt. Old NT 4.0 logon name, must be unique in the
domain. Can be confused with CN.
SN = Thomas. This would be referred to as last name or surname.
Used to disable an account. A value of 514 disables the account, while
512 makes the account ready for logon.
userPrincipalName = guyt@CP.com Often abbreviated to UPN,
looks like an email address. Very useful for logging on especially in a
large Forest. Note UPN must be unique in the forest.
Guy Recommends: SolarWinds' Free Bulk Import Tool
Import users from a spreadsheet. Just provide a list of the
users with their fields in the top row, and save as .csv file.
Then launch this FREE utility and match your fields with AD's
attributes, click and import the users.
Legacy distinguished name for creating Contacts. In the
Guy Thomas is a Contact in the first administrative group of GUYDOMAIN:
/o=GUYDOMAIN/ou=first administrative group/cn=Recipients/cn=Guy Thomas
An easy, but important attribute. A simple SMTP address is all that is
mAPIRecipient - FALSE
Indicates that a contact is not a domain user.
Normally this is the same value as the sAMAccountName, but could be different if
you wished. Needed for mail enabled contacts.
Another straightforward field, just the value to:True
Exchange needs to know which server to deliver the mail. Example: /o=YourOrg/ou=First Administrative Group/cn=Configuration/cn=Servers/cn=MailSrv
As the name 'proxy' suggests, it is possible for one recipient to have more than one email address. Note the plural spelling of proxyAddresses.
SMTP:@ e-mail address. Note that SMTP is case sensitive. All capitals means the default address.
Displays the contact in the Global Address List.
Recommends: Permissions Analyzer - Free Active Directory Tool
I like the
Permissions Monitor because it enables me to see quickly WHO has permissions
to do WHAT. When you launch this tool it analyzes a users effective NTFS
permissions for a specific file or folder, takes into account network share
access, then displays the results in a nifty desktop dashboard!
Think of all the frustration that this free utility saves when you are
troubleshooting authorization problems for users access to a resource.
Give this permissions monitor a try - it's free!