Microsoft® Windows® 2000 Scripting Guide
All Active Directory user account object types are identified by several attributes defined in the Active Directory schema. All user account object types have names in the form of cn (common name), name, distinguishedName, and objectGUID. For example, a user account object created for a user named Ken Myer and stored in the Management organizational unit (OU) of the na.fabrikam.com domain could be assigned the following names:
cn and name: MyerKen
When you create the user account, you must give the object a name. The name you provide is the relative distinguished name of the object and must be unique in the current container. The value you provide is assigned to the users cn (Common-Name) and name (RDN) attributes.
The value of a user accounts distinguishedName (Obj-Dist-Name) attribute is constructed from the users relative distinguished name and the relative distinguished name of each parent all the way to the root of the directory. Because a user accounts distinguishedName is automatically generated, you cannot explicitly set its value. However, an objects distinguishedName changes when the object is moved or renamed. If the MyerKen account is moved to the Finance OU, the new distinguishedName for the account will be this:
objectGUID: 77 22 D5 1D B8 65 67 4F A9 C2 10 19 D1 D7 4E 9E (hexadecimal value)
Active Directory assigns a unique value to the objectGUID attribute for each object when it is created. The objectGUID is a unique 128-bit structure used by the system to identify the object. The objectGUID does not change even if a user account object is moved or renamed. You will rarely, if ever, need to use the objectGUID when writing scripts to manage users and user accounts.
Security Principal Naming Attributes
Because the user account object type is a security principal, it has additional naming attributes, such as sAMAccountName, userPrincipalName, and objectSid. The security principal naming attributes are critical for the Windows 2000 security system to recognize user accounts. The MyerKen user account mentioned in the preceding example could be assigned the following security naming attributes:
This mandatory attribute is used to log on to the domain from computers running versions of Windows earlier than Windows 2000 and by other computers running the LAN Manager client redirector. This value must be unique in the domain and must be no longer than 20 characters.
userPrincipalName (UPN): MyerKen@fabrikam.com
This attribute can be used to log on to the domain from computers running Windows 2000 or Microsoft® Windows® XP. The UPN is assigned an e-mail style value to simplify logon to the domain. For consistency and ease of use, consider making the UPN the same as the users e-mail address.
objectSid: 01 05 00 00 00 00 00 05 15 00 00 00 83 3D 2B 46 67 FD 7C 30 F8 9F B4 74 6B 04 00 00 (hexadecimal value)
The domain security authority, an operating system component of Windows 2000, assigns a unique value to the objectSid attribute for user account types that are security principals. When a user logs on to the domain, the security system assigns the value in the objectSid to the users access token. The access token identifies the user account to the Windows 2000 security infrastructure.
User account types that are security principals also contain security attributes. These attributes define account and password characteristics that help to maintain domain security. For example, the accountExpires attribute can define a date when a user account will automatically expire. This ensures that a user will not be able to access the network with this user account after the expiration date.
All user account types contain address book attributes that provide supplementary information to identify user accounts. For example, the displayName attribute contains a friendly name for each user account. This name appears in the directory to assist users in identifying other users in the network.