Display name for users in Active Directory

A while ago I was visiting a customer who had a strange problem related to Active Directory groups. They could only see usernames in groups insted of seeing the entire user name (display name or full names). This was the first time at least I was seeing this problem, as normally this is not a problem in Active Directory domain which is being used in normal production.

However this situation was causing problems, as being a support technician you had to know the usernames in order to work with them, and to manage groups. The environment was set up originally as a NT 4 domain, and has ever since been upgraded to newest version of Active Directory domain services (AD DS). Currently the domain functional level and forest functional levels are at 2016.

This company was also using a naming standard which consisted of a prefix for usernames where there was first a 3 character code and then 4-5 character username based on their first and surnames combination. A typical username looked like

COMVYCI

Which consits of “COM” i.e. the prefix and VYCI, which is a combination of users first and surnames. So how does this looks in Active Directory DS?

User details before update
User details before update

As you see the First and last names have been defined and Display name too has been defined. However, when you manage a group you only get the usernames

User display names not showing in groups
User display names not showing in groups

You can see that the problem is applicable to usernames starting with “COM”. When starting to analyze the problem, I must admit that I did perform a quick Google search, and then a Bing search but neither of the searches provided a good match with regards to problem at hand. Well so much for a quick fix, let put on the troubleshooting hat on!

Name attribute and full name
Name attribute and full name

I noticed that the name attribute is not the same as display name. The next step was to identify the “name” attribute in Active Directory Users and computer on user properties page. This attribute however is not editable as you can see.

Non-editable name attribute
Non editable name attribute

So the search continued and then the “Cn” i.e. Common name attributed was identified as a potential candidate for change. However it is not possible to edit this field manually. If you try editing is manually you get an error message stating that the object is owned by system. To be more specific you get Operation failed. Error code: 0x20b1

Error manually editing Cn attribute Error code: 0x20b1
Error manually editing Cn attribute error code 0x20b1

So the CN field must be updated with Powershell, at least it was a worth a try. After running a Powershell script CN field was successfully updated no more 0x20b1 error codes. And this lead to the desired result which we started our troubleshooting session with i.e. trying to show users full name instead of just usernames in Active directory users and computer management console.

Updated users after script execution
Updated users after script execution

This in turn lead to that group memberships now was being shown as user’s full name rather than just username.

Updated group membership view
Updated group membership view

In order to update the name attribute in Active Directory domain services, the attribute called Common name (CN) must be updated. No other fields needs to be changed as the update of Cn will update any other relevant attributes. An attempt to manually update Cn will cause 0x20b1 error

Order of steps taken leads to successful or failed attempted results. Make sure to perform actions in the right order

The Powershell script that was utilized to perform the update is as following

Username update Powershell script
Username update Powershell script

Please remember to update the script to fit your environment prior to use and remember to test before using it. I ALLWAYS, display the information before actually performing any updates using write-host!

#Change cn from Company ID

$users = Get-ADUser -SearchScope OneLevel -SearchBase "OU=zeglory.com,OU=test,DC=zeglory,DC=com" -Filter * -Properties * 

foreach($user in $users)
{
        $distinguishedName = $user.DistinguishedName
        $distinguishedNameOrignal = $user.DistinguishedName
        $distinguishedName = $distinguishedName.split(",")
        $distinguishedName = $distinguishedName[0]
        $samAccountName = $user.samAccountName

        if($distinguishedName -match "^CN=COM")
            {
                $cn = $user.DistinguishedName
                $displayName = $user.displayName
                $cn = $cn.Split(",")
                $cnCount = $cn.count
                $constructedCN = "CN=$displayName"
                    for($i=1;$i -le $cnCount;$i++)
                        {
                                if($i -ne $cnCount)
                                    {
                                        $constructedCN = $constructedCN + "," + $cn[$i]
                                    }
                                 else
                                    {
                                           $constructedCN = $constructedCN + $cn[$i]
                                    }

                                if($i -eq $cnCount)
                                    {
                                        
                                        #write-host "Rename-ADObject $distinguishedNameOrignal -NewName $displayName"
                                        Rename-ADObject $distinguishedNameOrignal -NewName $displayName
                                    }
                        }
            }

}

You can just remove the If statement if you want to update name attribute for all your users in a specific OU or in the entire Active directory DS environment. If you have any questions and comments, feel free to write a comment.

Leave a Reply

Your email address will not be published. Required fields are marked *