Active Directory Distinguished Names

Active Directory functions mainly through the use of a protocol referred to as LDAP, the Lightweight Directory Access Protocol. An open and defined standard for accessing directories, LDAP provides the mechanism for updating information, querying, and defining objects in the directory. For example, every object in Active Directory is represented by what is called an LDAP distinguished name. This name uniquely identifies the object within the entire directory. For example, the distinguished name for a user account object named Dan DiNicolo that exists in the Information Technology organizational unit in the domain would be:

CN=Dan DiNicolo, OU=Information Technology, DC=2000trainers, DC=com

An LDAP distinguished name is made up of three main elements

  • CN – Common Name, the name of the object within Active Directory.
  • OU – Organizational Unit, the name of the Organizational Unit within Active Directory. Note that built-in containers, such as Users, would use CN= instead of OU= in an LDAP distinguished name.
  • DC – Domain Component, the DNS domain name in which the object exists, represented one domain level at a time, starting with lower-level domains and ending with top-level domains.

Another two quick examples:

CN=John Doe, CN=Users, DC=domain, DC=com would represent a user object named John Doe whose account exists in the Users built-in container in a domain named

CN=Jane Doe, OU=Sales, OU=Toronto, DC=canada, DC=company, DC=net would represent a user object name Jane Doe, whose account exists in an OU called Sales, which is a sub-OU of an OU named Toronto, which is in a domain named

Another way of defining objects within Active Directory is via the object’s relative distinguished name. Quite simply, a relative distinguished name is just a shorter way of describing an object based on where we are focused. For example, if I were looking in the OU called Sales, which is a sub OU of the OU Toronto, in the domain, I could say that the relative distinguished name of the object I previously described is CN=Jane Doe.

Author: Dan DiNicolo

Dan DiNicolo is a freelance author, consultant, trainer, and the managing editor of He is the author of the CCNA Study Guide found on this site, as well as many books including the PC Magazine titles Windows XP Security Solutions and Windows Vista Security Solutions. Click here to contact Dan.