Object names

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Object names

Every object in Active Directory is an instance of a class defined in the schema. Each class has attributes that ensure:

  • Unique identification of each object (instance of a class) in a directory data store

  • Backward compatibility with security IDs used in Windows NT 4.0 and earlier

  • Compatibility with LDAP standards for directory object names

For more information about schema, classes, and attributes, see Schema.

Each object in Active Directory can be referenced by several different names. Active Directory creates a relative distinguished name and a canonical name for each object based upon information that was provided when the object was created or modified. Each object can also be referenced by its distinguished name, which is derived from the relative distinguished name of the object and all of its parent container objects.

  • The LDAP relative distinguished name uniquely identifies the object within its parent container. For example, the LDAP relative distinguished name of a computer named my computer is CN=mycomputer. Relative distinguished names must be unique in that users cannot have the same name within an organizational unit.

  • The LDAP distinguished name is globally unique. For example, the distinguished name of a computer named mycomputer in the MyOrganizationalUnit organizational unit in the microsoft.com domain is CN=mycomputer, OU=MyOrganizationalUnit, DC=microsoft, DC=com.

  • The canonical name is constructed the same way as the distinguished name, but it is represented using a different notation. The canonical name of the computer in the previous example would be Microsoft.com/MyOrganizationalUnit/mycomputer.

Security principal objects are Active Directory objects that are assigned security IDs (SIDs) and can be used to log on to the network and can be assigned access to domain resources. An administrator needs to provide names for security principal objects (user accounts, computer accounts, and groups) that are unique within a domain.

Consider what occurs when a new user account is added to your directory. You provide a name the user must use to log on to the network, the name of the domain that contains the user account, and other descriptive data, such as first name, last name, telephone number and so on (called attributes). All this information is recorded in the directory.

The names of security principal objects can contain all Unicode characters except the special LDAP characters defined in RFC 2253. This list of special characters includes: a leading space; a trailing space; and any of the following characters: # , + " \ < > ;

Security principal names must conform to the following guidelines:

Type of account name Maximum size Special limitations

User account

Computers running Windows Server 2003 and Windows 2000 can use a user principal name (UPN) for a user account. Computers running Windows NT 4.0 and earlier are limited to 20 characters or 20 bytes depending upon the character set; individual characters may require more than one byte.

A user account cannot consist solely of periods (.) or spaces, or end in a period. Any leading periods or spaces are cropped. Use of the @ symbol is not supported with the logon format for Windows NT 4.0 and earlier, which is DomainName\UserName. Windows 2000 logon names are unique to the domain and Windows Server 2003 logon names are unique within the forest.

Computer account

NetBIOS = 15 characters, or 15 bytes depending upon the character set; individual characters may require more than one byte.

DNS = 63 characters or 63 bytes depending upon the character set and 255 characters for a fully qualified domain name (FQDN) individual characters may require more than one byte.

A computer account cannot consist solely of numbers, periods (.), or spaces. Any leading periods or spaces are cropped.

Group account

63 characters, or 63 bytes depending upon the character set; individual characters may require more than one byte.

A group account cannot consist solely of numbers, periods (.), or spaces. Any leading periods or spaces are cropped.

Note

  • If the administrator changes the default security settings, then it is possible to use computer names containing more than 15 characters. For more information, see Active Directory naming.

From the information provided by the person who creates the security principal object, Active Directory generates a security ID (SID), and a globally unique ID used to identify the security principal. Active Directory also creates an LDAP relative distinguished name, based on the security principal name. An LDAP distinguished name and a canonical name are derived from the relative distinguished name and the names of the domain and container contexts in which the security principal object is created.

If your organization has several domains, it is possible to use the same user name or computer name in different domains. The SID, globally unique ID, LDAP distinguished name, and canonical name generated by Active Directory will uniquely identify each user, computer, or group in the forest. If the security principal object is renamed or moved to a different domain, the SID, LDAP relative distinguished name, LDAP distinguished name, and canonical name will change, but the globally unique ID generated by Active Directory will not change.

Security principal objects, such as user accounts, may be renamed, moved, or contained within a nested domain hierarchy. To reduce the effect of renaming, moving, or assigning user account names within a nested domain hierarchy, Active Directory provides a method for simplifying user logon names. For information about user logon names, see Active Directory naming and Add user principal name suffixes, and User and computer accounts.