Retrieve DN in Active Directory

To correctly configure an LDAP connection or automated access, you need the Distinguished Name (DN) of a user, group, or organizational unit (OU).

The DN can be retrieved via the Active Directory Users and Computers (ADUC) console or alternatively using a PowerShell command.

Prerequisites

• Active Directory Users and Computers (console: dsa.msc)
• Local AD access with sufficient permissions

Retrieve DN via ADUC

1. Open the Active Directory Users and Computers (ADUC) console:

• • Press Windows + R, enter dsa.msc, and confirm with OK.
    • Alternatively: Search in the Start menu for "Active Directory Users and Computers" or open the command prompt (cmd)

2. Enable advanced features to display all attributes:

• • Click on the "View" menu at the top.
    • Enable the option Advanced Features. Without this setting, the "Attribute Editor" tab will not be visible.

3. Select the object

• • In the left column, navigate to the desired OU or container.
    • Select the target object (e.g., a user or group) by clicking on it.

4. Open properties

• • Right-click on the object.
    • Select Properties from the context menu.

5. Open the Attribute Editor

• • In the Properties window, switch to the "Attribute Editor" tab.
    • Scroll down to the entry “distinguishedName”.

6. Copy the DN

• • Double-click on the distinguishedName entry.
    • Select the entire value and right-click to Copy. Example DN: CN=JohnDoe,OU=Employees,DC=company,DC=local

Note if the tab is missing

The "Attribute Editor" tab is only displayed if:

• "Advanced Features" are enabled (see step 2), and
• a valid object has been selected.

For empty OUs or unsupported containers, the tab remains hidden.

 

2. Retrieve DN via PowerShell

Retrieve the DN of a user with the following PowerShell command:

`(Get-ADUser -Identity '<username>').DistinguishedName`

Replace <username> with the login name of the user.

Prerequisite: The Active Directory PowerShell module must be installed and imported.