Unique name requirement in Active Directory OUs?
It seems that in my Active Directory (win2k8r2), there is a restriction on the name of a user. NOT the username, but the display name. I tried adding two users with the same same (different accounts), but it wouldn't let me because of the duplicate name.
If I try the same across two OU's, it does work.
Is there a way to switch of this restriction? I've got two users which belong to the same OU which happen to have the exact same display name.
In AD the CN (initiall derived from Display Name when an account is created) must be unique within the same OU. The reason is that the DistinguishedName value must be unique and the DistinguishedName is composed of the domain\ou(s)\CN so if the domain is the same and the ou is the same, the CN must be different. When you first create a user in AD the First and Last name are combined to form the CN and the displayName attributes (Last, First), but these can be changed after creation as in the example below.
Example workaround:
If you have two user's with the same name that need to go in the same OU you would do the following.
- Create the first user Joe Smith (DN will be yourdomain.com\Accounting"Smith, Joe")
- Rename "Smith, Joe" to something like "Smith, Joe L" (DN will be yourdomain.com\Accounting"Smith, Joe L."
- Create the second user Joe Smith (DN will be yourdomain.com\Accounting"Smith, Joe")
- At this point you can let the second joe smith stay "Smith, Joe" or you can change it like in step 2.
This is fundamental LDAP behavior - not just AD. The DN is the unique identifier - kind of similar to a URL.
If it didn't work this way then when searched for (dn=mydomain.com\Users\Accounting\Smith, Joe) you would get back two user objects assuming you had two Joe Smith users in the Accounting OU.
To avoid this problem some organizations will sometimes use an employee ID as the CN which is always unique. This doesn't effect the user's name which is derived from the sn and givenName attributes.