Mark Minasi's Windows Networking Tech Page
Issue #45 March 2005

To subscribe, visit http://www.minasi.com/nwsreg.htm. To unsubscribe, link to http://www.minasi.com/unsubs.htm. To change e-mail address, switch between HTML or text format, etc., link to http://www.minasi.com/edit-newsletter-record.htm.  Visit the Archives at http://www.minasi.com/archive.htm.  Please do NOT reply to this mail; for comments, please link to www.minasi.com/gethelp.  Document copyright 2005 Mark Minasi.

What's Inside

  • News: 
    • Active Directory and Security Seminars In Seattle In Two Weeks
  • Tech Section
    • Have You Ever Tried To Rename Someone in AD?
    • What's "Discretionary" about DACLs?
  • Conferences
  • Bring a Seminar to Your Site

News

This month, I pass along some things I've learned about user names in Active Directory.  As with many Microsoft technologies, AD's nice, but not always intuitive.  But first, a word from our sponsor...

I'm Coming To Iceland Next Week

My good friends at EJS have invited me to some speak at their conference next week, March 14-18.  I'm going to do two days of hands-on advanced topics in Active Directory, server maintenance, and Windows security.  My good friend Steve Riley will be there also, sharing some of his in-depth knowledge of security.  Cisco, Trend, RSA, Sensa, Miracle, iSoft and IMG Radgjof will also be in attendance. For more info visit http://www.ejs.is/template2.asp?pageid=542&newsid=978; perhaps I'll see you there!

My Seminars are Coming to Seattle In Two Weeks

You West Coast folks wanted seminars this year.  The only one I'm planning to do takes place in two weeks!

Seminar: Securing Your Windows Desktops and Servers

Everyone wants to secure their network, but many don’t feel that they have the time. I find that a lot of people have a general idea about what they should be doing to secure their networks -- they've heard terms like SMB signing, null session, secure channel, LM hash, and so on -- but haven't the time to sift through the often-contradictory knowledge base articles and the welter of group policy settings, Registry hacks, patches and the like. In just one day, I go through what the big security issues mean and help attendees understand the exact step by step methods that you need to know to make your system more secure.

If you'd like to find out more, please visit www.minasi.com/secoutln.htm.

Running a 2003/2000-Based Active Directory

AD's great, but it can be a fragile flower if not built and maintained properly. Find out how to build, implement, maintain, and repair Active Directory at "Running a 2003/2000-Based Active Directory;" information at www.minasi.com/2003outln.htm .

Tech Section

Have You Ever Tried To Rename Someone in AD?

I recently had to rename a user on my AD.  Odd as it sounds, it was the first time that I needed to do that, and it was a bit more challenging than I expected.  So I took a look under the hood and here's what I found.

Let's say we've got a user named Jane T, Smith.  Jane gets married and is now Jane T. Jones and logically she'd like her AD account to reflect that.  So we go to Active Directory Users and Computers and pull up her Properties page.  There's a field in the ADUC General tab for "Last name," so we change "Smith" to "Jones" and click OK to close the Property page.

But the list of users in ADUC still shows "Jane T. Smith."  Zounds, we think, and re-open the Properties page.  We see that Jane has something called a "Display name," which ADUC clearly isn't smart enough to update when we change the last name.  So we change the display name from "Jane T. Smith" to "Jane T. Jones" and, again, close the property page for Jane Jones.

Only to find that she's still "Jane T. Smith" in the list of users in ADUC.  What's going on here, we wonder?  Some evil Microsoft bias against women marrying and taking their husband's last names?  Nah, just a complicated AD structure.  You see, your user account in AD has a number of fields relevant to your name.  You can directly control some of them from the GUI, others require more work.

When you first create a user account from ADUC, you get asked for the user's

  • First name (for example, "Jane")
  • Initials (e.g., "T")
  • Last name (e.g., "Smith")
  • Full name (e.g. "Jane T. Smith")
  • User logon name (e.g. "jsmith@bigfirm.com")
  • Pre-2000 logon name (e.g., "bigfirm\jsmith")

ADUC creates a user account and stores that data into the following AD attribute/field names:

  • First name is stored as "givenName"
  • Initials are stored as "initials"
  • Last name is stored as "sn," which is short for "surname"
  • Full name is stored as "name"
  • User logon name is stored as "userPrincipalName"
  • Pre-2000 logon name is stored as "sAMAccountName"

But AD has other names for you as well, and needs to assemble those.

  • "displayName" gets set to whatever's specified for "full name"
  • "cn" is "container name," and ADUC sets it equal to your full name
  • "canonicalName" is a name like "CN=JaneTSmith,cn=users,dc=bigfirm,dc=biz") and it's built out of your full name and the domain's name

Now we have all of the players.  Again, we want to change Jane T Smith's name to Jane T Jones.  We double-click on her in ADUC and get the Properties page for Jane T Smith and see fields for first name, initials, last name, and display name.  (There are also fields for description, telephone number, e-mail and Web page, but we'll ignore them.)  So we change not only the Last name field, but the Display name field so that she's now Jane T Jones.  We close the Properties page and ...

... she's still Jane T Smith.

If you've been reading carefully, you'll know why.  The Properties page does not include a field for the full name!  The full name is actually displayed in the upper left hand corner of the Properties page on the General tab, but there's no way to change it.  So how to change the full name?  Simple:  close the Properties page and right-click on the Jane T Smith entry in the list of users, then choose Rename.  Changing a user's full name in ADUC automatically changes that user's entry in the ADUC list, their cn, and canonicalName.  It doesn't change the display name.

The bottom line is this:  if you have a user who's changed his or her last name, you must do several things to see the effects of that in Active Directory:

  • Right-click the account in ADUC and use the Rename option to change the full name.
  • You'll get a "Rename User" dialog box offering you the ability to change full name, first name, last name, display name, and the two logon names.  Change them as necessary.

To summarize, here's what's in a name in Active Directory.

AD name Description Example How it gets set Where to change it
name full name Jane T Smith ADUC user creation wizard right-click user account in ADUC
givenName first name Jane ADUC user creation wizard edit general Properties of the user
initials middle name or initials T ADUC user creation wizard edit general Properties of the user
sn last name or surname Smith ADUC user creation wizard edit general Properties of the user
sAMAccountName old-style logon name bigfirm\jsmith ADUC user creation wizard edit Properties of the user in the Account tab
userPrincipalName AD logon name janesmith@bigfirm.com ADUC user creation wizard edit Properties of the user in the Account tab
displayName Like full name; it's not clear why it exists Jane T Smith copied from full name edit general Properties of the user
cn Container name Jane T Smith copied from full name change full name
distinguishedName LDAP name of user account cn=jane t smith, cn=users, dc=bigfirm, dc=com built from full name change full name
canonicalName Hierarchical name bigfirm.com / Users / Jane T Smith built from full name change full name

Whew!  Leave it to Microsoft to make us once again ask the question "what's in a name?"  By the way, many of you probably know this, but changing a user's name does not affect any group memberships or permissions that the user has.  As far as AD's concerned, you aren't John Smith, you're S-1-5-21-98798-543782-11-1014; that is, your Security ID (SID) is what truly identifies you.  As far as AD's concerned, "John Smith" is nothing more than decoration on your account.  But any utilities and batch files that authenticate as you before running may run into trouble, as some of those tools store your name rather than your SID.

What's "Discretionary" about DACLs?

I got a really positive response to the discussion of SDDL, the Security Descriptor Definition Language, in last month's newsletter... thanks!  Several of you e-mailed me to answer a question that I posed in the text. 

The things that we call "ACLs," "access control lists," are the place that Windows stores permissions.  But, I noted last month, there are two kinds of ACLs:  the ones that we see all the time, which are technically called "discretionary access control lists" or DACLs and the kind that control object auditing, which Microsoft calls "system ACLs" or SACLs.

I said that I had no idea what was "discretionary" about DACLs.  Some of you explained that the phrase comes from the old "Orange book," the thing that Microsoft had to adhere to in order to get something called a "C2 certification," something that they sought in the early days of NT.  I vaguely recall that I knew that once ... many thanks for retelling me!

Conferences

Join me at ...

EJS's Tech Conference in Reykjavik: see above for details.  Icelanders, come on down!  And the rest of you, join us anyway, Iceland's a cool place.

Techmentor Spring 2005:  101 Communications's semi-annual geekfest comes to Orlando this spring.  I'm doing a keynote and a techie talk on Windows' SMTP service.  The fun starts on Monday, April 4th!  Info at www.techmentorevents.com.

Windows Connections Spring 2005:  my magazine's twice-per-year tech-o-rama starts a couple of weeks after Techmentor, on 17 April in San Francisco!  Our new program chair, Amy Eisenberg, has put on a pretty neat schedule ... but heck, don't believe me, check it out yourself.  Info at www.winconnections.com.

Bring Mark to your site to teach

I'm keeping busy doing Active Directory and Security seminars and writing, but I've still got time to visit your firm.  In just two days, I'll make your current NT techies into 2000, XP, Active Directory and 2003 experts.  (And better yet they won't have to sit through any Redmondian propaganda.)  To join the large educational, pharmaceutical, agricultural, aerospace, utility, banking, government, telecommunication, law enforcement, publishing, transportation, and other organizations that I've assisted, either take a peek at the course outlines at www.minasi.com/presentations.htm, mail our assistant Jean Snead at Assistant@Minasi.com, or call her at (757) 426-1431 (only between noon-5 Eastern time, weekdays, please).

Until Next Month...

Have a quiet and safe month. 

Please share this newsletter; I'd like very much to expand this periodical into a useful source of NT/2000/2003/XP information.  Please forward it to any associates who might find it helpful, and accept my thanks.  We are now at over 36,000 subscribers and I hope to use this to get information to every single Mastering 2003, XP, NT and 2000 Server reader. Thanks for letting me visit with you, and take care.  Many, many thanks to the readers who have mailed me to offer suggestions, errata, and those kind reviews.  As always, I'm at http://www.minasi.com/gethelp and please join us at the Forum with technical questions at www.minasi.com/forum

To subscribe, visit http://www.minasi.com/nwsreg.htm. To change e-mail, format, etc., link to http://www.minasi.com/edit-newsletter-record.htm.  To unsubscribe, link to http://www.minasi.com/unsubs.htm. Visit the Archives at http://www.minasi.com/archive.htm. Please do NOT reply to this mail; for comments, please link to http://www.minasi.com/gethelp.

All contents copyright 2005 Mark Minasi. You are encouraged to quote this material, SO LONG as you include this entire document; thanks.