ad integration

Getting the LDAP distinguished name for an AD user

Sometimes when I’m integrating Macs (and other systems) with Active Directory they ask for the full LDAP distinguished name of the user I’m using to authenticate. This is the user name in the traditional LDAP format:

cn=username,ou=something,DC=amsys,DC=com (for example).

In some cases, if it’s a fairly vanilla and small AD install you can take an educated guess from the domain name and the name of the user. In other cases, if the AD structure is quite complex you need to know exactly what it is. Here is my quick method for grabbing the information.

Using a Windows computer (doesn’t matter whether it is a server or a client), open the Computer Management Console by select Start > Run, typing computermgmt.msc and hitting return.

computer management console ad integration

Expand Users & Groups, select groups and open the properties screen for one of the groups.

In the Properties window, click Add.

expand users and groups

In the Select Users window, click Advanced.

In the Select Users window, search for the admin user name and select to show the X500 name in the attributes to display (which is the full distinguished name).

That’s it. The search will return the full distinguished name.

Leave a Reply

Your email address will not be published. Required fields are marked *