Author Posts

September 22, 2016 at 8:13 pm

Hi all,

I'm trying to come up with a script that I can select an OU and rename each user account so the "Name" field matches the Display name. The display name has been changed to format Last, First MI. The name in ADUC is still First Last MI and I understand that's actually the CN and I would have to rename each of those accts. Just not sure the best way to script that out. Any help would be appreciated.

September 22, 2016 at 8:16 pm

So... do be aware that changing the CN can have some significant impact on authentication. Make very sure this is what you want to do. This can even impact what users have to log on as.

You would probably start with Get-ADUser, specifying a -SearchBase of your OU. Then, for each user object returned, you can use Set-ADUser to modify the object in whatever way you want.

But the canonical name is a _big deal_. Again, make very sure you understand the impact and consequences, and how CN relates to samAccountName, and how it's all used by authentication throughout your environment. Anything with a dependency on the old CN will break, badly, and you might not be aware of all the things that have a dependency on the CN.

September 22, 2016 at 8:26 pm

Right, I'm a little worried about doing this to be honest. A few years ago, someone had renamed all users including their CN to First Last MI and we purchased another company and they are Last, First MI. so now they want all users with the same format as the company that was purchased. I want to do it on a per OU basis and have users do some extensive testing for their applications.

How would I write the script to get the display name for each user in the OU and rename each with the display name? That's what I'm struggling to figure out.

September 22, 2016 at 8:42 pm

Well, short of writing the script for you...

Get-ADUser -filter * searchbase "whatever" -Prop * |
ForEach-Object {
# $_ represents the user, $_.DisplayName would be the present DisplayName
$_ | Set-ADUser -Parameter value -Parameter value
}

But you're going to have to reformat the DisplayName, which is a string, into CN format. That's String manipulation. The System.String class has a lot of methods for splitting the string, extracting pieces of it, and so on – but yes, this is the hard part. It'd be easier if you took a whack at it, ran into a problem, and then asked about that problem (on a new thread). It's a bit easier to help when there's a concrete example in front of us, and when you've got a starting point.

September 22, 2016 at 8:47 pm

Ok, thanks so much

September 23, 2016 at 2:04 pm

TEST TEST TEST.. Years ago using quest I managed to change 7000 users display names to '$_.displayname' It made talking to people on lync a little difficult. =D

September 25, 2016 at 9:56 am

I will reiterate the D*ns' posts with regard to testing. Most applications that are decently integrated with AD should be OK but I imagine an application that may use the distinguishedname to identify users in AD but it doesn't update the dn if it changes. This is where you'll encounter errors with applications.

Rename-ADObject however would be more appropriate than Set-ADUser in this case. Don's example should be fine but use Rename-ADObject rather than Set-ADUser. Have a look at the documentation for Rename-ADObject and test before running in production.