I receive a lot of of emails with questions and I am slowly catching up to those questions (yes I have emails from December I still haven’t processed…). One of the questions was about an attribute most people don’t really seem to know about – canonicalName.
What is canonicalName you ask? It is like a Distinguished Name only it is great for sorting purposes, so if you say want to pull AD info into Excel or something else that does standard sorting for you, using canonicalName can really help… For instance…
Here is a DN
CN=$jricha34,CN=Users,DC=joe,DC=com
The canonicalName for the object is
joe.com/Users/$jricha34
The only part that doesn’t fully lend itself nicely to sorting is the domain portion of the canonicalName.
The canonicalName is not normally returned with the default attribute set for an object because the attribute is constructed and constructed attributes have overhead associated with them that MSFT tries to avoid if possible.
How do we know it is constructed? Because the Schema tells us so…
F:\>adfind -sc s:canonicalname systemflags
AdFind V01.35.00cpp Joe Richards (joe@joeware.net) January 2007
Using server: 2k3dc02.joe.com:389
Directory: Windows Server 2003
Base DN: CN=Schema,CN=Configuration,DC=joe,DC=comdn:CN=Canonical-Name,CN=Schema,CN=Configuration,DC=joe,DC=com
>systemFlags: 134217748 [CONSTRUCTED(4);CAT-1(16);NO-RENAME(134217728)]1 Objects returned
How do you get that attribute? You ask for it by name. So if you just want that attribute, you do something like
F:\>adfind -default -f name=$jricha34 canonicalname
AdFind V01.35.00cpp Joe Richards (joe@joeware.net) January 2007
Using server: 2k3dc02.joe.com:389
Directory: Windows Server 2003
Base DN: DC=joe,DC=comdn:CN=$jricha34,CN=Users,DC=joe,DC=com
>canonicalName: joe.com/Users/$jricha341 Objects returned
If you want to get the canonicalName in addition to the normal default attributes that are returned and you are using AdFind, simply specify * and canonicalName as attributes like so
adfind -default -f name=someobject * canonicalname
This tells AdFind to return the default (star) attribute set as well as the canonicalName.
As you have read elsewhere, being constructed, you cannot query for that attribute, it can only be returned from another query. Unlike what you may have read in some places, constructed doesn’t mean you have to use a base level query. There are a couple of constructed attributes that require that, but the vast majority of them don’t.
Oh do you want to get a list of all constructed attributes in your Schema? There is a very simple AdFind command to do so… the shortcut constructedl:
F:\>adfind -sc constructedl
allowedAttributes
allowedAttributesEffective
allowedChildClasses
allowedChildClassesEffective
aNR
attributeTypes
canonicalName
createTimeStamp
dITContentRules
entryTTL
extendedAttributeInfo
extendedClassInfo
fromEntry
modifyTimeStamp
msDS-Approx-Immed-Subordinates
msDS-Auxiliary-Classes
msDS-KeyVersionNumber
msDS-NCReplCursors
msDS-NCReplInboundNeighbors
msDS-NCReplOutboundNeighbors
msDS-QuotaEffective
msDS-QuotaUsed
msDS-ReplAttributeMetaData
msDS-ReplValueMetaData
msDS-TopQuotaUsage
msDS-User-Account-Control-Computed
objectClasses
parentGUID
possibleInferiors
primaryGroupToken
sDRightsEffective
structuralObjectClass
subSchemaSubEntry
tokenGroups
tokenGroupsGlobalAndUniversal
tokenGroupsNoGCAcceptable
After I responded to that question I received the following email from the user which made me smile.
wow! ADFind r00lz. We have a fancy GUI tool for reports (Quest Reporter), and this was the last reason I still used it for AD (outputting canoncal names). ADFind is much faster and more flexible (and free!).
I enjoyed the ScriptLogic discussion the other week–very informative.
Thanks again, joe!
I am not positive all that Quest Reporter does but I am sure there are some benefits it has over AdFind, just not for everyone. 🙂
joe
make it so you can pipe adfind to sql reporting services and i think you’ll be able to have joe reporter