The Lightweight Directory Access Protocol (LDAP) Application Programming Interface (API) will reference an object by its Distinguished Name (DN), which is a comma separated string of Relative Distinguished Names (RDNs).
The following is a list of RDN types:
| String | Attribute Type |
|---|---|
| DC | Domain Component |
| CN | Common Name |
| OU | Organisational Unit Name |
| O | Organisation Name |
| STREET | Street Address |
| L | Locality Name |
| ST | State or Province Name |
| C | Country Name |
| UID | User ID |
The following is an example DN:
CN=Thom Bedford,CN=Users,DC=tcdev,DC=co,DC=uk
Finding the DN of an Object
The easiest way to find the DN of an object in Windows Server 2008 is to use the in-built LDP application (note that this was not built-in to Windows Server 2003). To open this up, simply run “ldp”, and an empty window should greet you.
From here, we need to connect to our server using the Fully Qualified Domain Name (FQDN), so select ‘Connect’ from the ‘Connection’ menu.
In the connection box, type in the FQDN of the server.
Once this is done, the right-hand panel should fill up with the connection details. Now we want to bind the object we want to look at, which for this example will be a user ‘FinanceUser’.
A message should appear in the right-hand panel stating that the user has been authenticated, but this still gives us very little information. For the big picture, go to ‘View’ and click ‘Tree’, leaving the ‘BaseDN’ blank when prompted.
Again the right-hand panel will begin filling with information, but this time, a tree node will appear in the left. We now need to transverse this tree and find our user. To open a node, simple double-click (even if the ‘+’ sign is missing).
So if we open up our domain (root) node, then open the users node, we can see a list of all users currently in the system. Double-click on the user in question and the following screen should appear:
The text in the right-hand panel can be selected and copied for whatever use you may have for it. The DN is highlighted in bold in LDP, so you cannot miss it.
Using a DN
One such use for a DN is using the ‘dsget’ function in the command prompt, to view a resultant Password Settings Object (PSO). If you have read my article on Fine-Grain Password Policy, this will make more sense, if not we can still ensure that our DN syntax is correct.
First, open command prompt, then type the following (replacing {DN} with the DN previously retrieved):
dsget user "{DN}" -effectivepso
We can see from this image that the effective PSO is ‘Financial’. If no PSO is applied to a user, the following would appear:
The difference being that no PSO is listed. Now we will see what happens when we get the syntax wrong (notice in the following screenshot, the CN is ‘Finance Usss’, which does not exist):
The interface simply tells us that the ‘Directory object not found’.
And that is all there is to it.