Changing the Naming Attribute of the InetOrgPerson Class (307998)


The information in this article applies to:

  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Datacenter Edition
  • Microsoft Windows Small Business Server 2003, Premium Edition
  • Microsoft Windows Small Business Server 2003, Standard Edition
This article was previously published under Q307998

SUMMARY

Every object in Active Directory is an instance of an object class that is defined in the Active Directory schema. An object class represents a category of objects, such as users, printers, or application programs, that share a set of common characteristics. The definition for each object class contains a list of the attributes that can be used to describe instances of the class.

The InetOrgPerson object class is a general purpose object class that defines attributes about people in Lightweight Directory Access Protocol (LDAP) and X.500 directories.

Every object in Active Directory has a naming attribute from which its relative distinguished name (RDN) is formed. The naming attribute for most class-schema objects is common-name. The value that is assigned to a common-name attribute is determined by the value that the class-schema will have as its relative distinguished name.

In Active Directory, CN is used as the naming attribute for the InetOrgPerson class. Other LDAP directories, such as IPLANET, implement a different attribute, such as "Employee ID", to define the CN name of an InetOrgPerson object. This document shows as an example how administrators can use the "Employee ID" attribute to change the naming attribute for the InetOrgPerson class.

If you modify the relative distinguished name attribute of any class from its standard definition, this may make it incompatible with applications and cause problems in migration scenarios. Microsoft recommends that if you do change the RDN attribute for application compatibility, you do so in an application-specific forest to avoid compatibility problems with other applications.

Once the relative distinguished name attribute for a class is changed, all new instances of the class will use the new relative distinguished name attribute. The relative distinguished name attribute for previous instances will not change and cannot be changed. To change the relative distinguished name attribute for existing objects, you must perform the following tasks:
  1. Export the existing objects.
  2. Delete the existing objects from the directory.
  3. Redefine the class with the new relative distinguished name attribute.
  4. Modify the exported version to use the new relative distinguished name attribute.
  5. Import the data back into the directory.
This method may not be acceptable for user objects because the security identifiers (SIDs) and passwords cannot be preserved.

Microsoft recommends that administrators not modify the relative distinguished name attribute in the schema.

MORE INFORMATION

Windows Server 2003 domain controllers permit administrators to defunct an attribute or class schema definition and later redefine it with different properties.

The following steps provide an overview to defunct an object and change the definition of the RDN attribute for an object class.
  1. Use Active Directory Domains and Trusts tool to raise forest and domain functionality to Windows Server 2003 mode. To do so:
    1. Open Active Directory Domains and Trusts.
    2. In the left pane, right-click the domain that you want to raise, and then click Raise Domain Functional Level.
    3. In the Select an available domain functional level list, click Windows Server 2003, and then click Raise.
    4. Click OK, and then click OK.
    5. Right-click Active Directory Domains and Trusts, and then click Raise Forest Functional Level.
    6. In the Select an available forest functional level list, click Windows Server 2003, and then click Raise.
    7. Click OK, and then click OK.
  2. The RDN attribute for a class cannot be changed after the class has been defined unless system protection flags are removed and the class is made defunct.

    Confirm that bit 4 of the SystemFlags attribute for InetOrgPersonClass is set to 0 (default).
  3. Using LDP.exe or the equivalent, set the isDefunct attribute of the InetOrgPerson ClassSchema object to True. While a class or attribute is disabled, new instances of the class or attribute can no longer be created.
  4. After it becomes defunct, redefine the class with the same properties and a new naming attribute ID. The new naming attribute may be referenced by its OID or ldapDisplayName. For example, either of the following syntaxes is acceptable to refer to an attribute (UID in this case):
    • rdnAttID: UID
    • rdnAttID: 0.9.2342.19200300.100.1.1
  5. Import the new definition of InetOrgPerson with the desired naming attribute.

    The following sample LDIF file definition "defuncts" the InetOrgPerson class (step 3), renames the class to InetOrgpersonOld, redefines the class using "Employee ID" as the naming attribute (step 4), and imports the new definition of InetOrgPerson (step 5). To run this script, copy the following text between the words, "START CUT HERE", and "END CUT HERE" to Notepad.exe, and then save it as RDN.LDF. Execute the script with the sample syntax from an NT command prompt on the Windows Server 2003 Schema flexible single-master operations (FSMO) while logged on as a member of the schema Administrators group:

    ldifde /i /f ldif file /c "DC=X" "Fully qualified domain name"

    To run the script against a Windows Server 2003 forest MYDOMAIN.COM, the syntax would be:

    ldifde /i /f rdn.ldf /c "DC=X" "dc=mydomain,dc=com" (Where "DC=X" is a constant) 

    START CUT HERE

dn: CN=inetOrgPerson,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: isDefunct
isDefunct: TRUE
-

dn: CN=inetOrgPerson,CN=Schema,CN=Configuration,DC=X
changetype: modrdn
newrdn: cn=inetOrgPersonOld
deleteoldrdn: 1


dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-

dn: CN=inetOrgPerson,CN=Schema,CN=Configuration,DC=X
changetype: add
objectClass: classSchema
ldapDisplayName: inetOrgPerson
adminDisplayName: inetOrgPerson
adminDescription: Represents people who are associated with an organization in some way.
governsId: 2.16.840.1.113730.3.2.2
objectClassCategory: 1
rdnAttId: 1.2.840.113556.1.4.35
subClassOf: 1.2.840.113556.1.5.9
mayContain: 2.5.4.45
mayContain: 2.16.840.1.113730.3.140
mayContain: 2.16.840.1.113730.3.1.216
mayContain: 2.5.4.36
mayContain: 0.9.2342.19200300.100.1.1
mayContain: 0.9.2342.19200300.100.1.21
mayContain: 0.9.2342.19200300.100.1.6
mayContain: 2.16.840.1.113730.3.1.39
mayContain: 0.9.2342.19200300.100.1.7
mayContain: 0.9.2342.19200300.100.1.42
mayContain: 2.5.4.10
mayContain: 0.9.2342.19200300.100.1.41
mayContain: 0.9.2342.19200300.100.1.10
mayContain: 0.9.2342.19200300.100.1.3
mayContain: 1.3.6.1.4.1.250.1.57
mayContain: 0.9.2342.19200300.100.1.60
mayContain: 2.5.4.43
mayContain: 1.2.840.113556.1.2.617
mayContain: 0.9.2342.19200300.100.1.20
mayContain: 2.5.4.42
mayContain: 1.2.840.113556.1.2.613
mayContain: 1.2.840.113556.1.2.610
mayContain: 1.2.840.113556.1.2.13
mayContain: 2.16.840.1.113730.3.1.2
mayContain: 2.16.840.1.113730.3.1.1
mayContain: 2.5.4.15
mayContain: 0.9.2342.19200300.100.1.55
possSuperiors: 1.2.840.113556.1.5.67
possSuperiors: 2.5.6.5
possSuperiors: 1.2.840.113556.1.3.23
schemaIdGuid:: FMwoSDcUvEWbB61vAV5fKA==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;AO)(A;;RPLCLORC;;;PS)(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;PS)(OA;;CR;ab721a54-1e2f-11d0-9819-00aa0040529b;;PS)(OA;;CR;ab721a56-1e2f-11d0-9819-00aa0040529b;;PS)(OA;;RPWP;77B5B886-944A-11d1-AEBD-0000F80367C1;;PS)(OA;;RPWP;E45795B2-9455-11d1-AEBD-0000F80367C1;;PS)(OA;;RPWP;E45795B3-9455-11d1-AEBD-0000F80367C1;;PS)(OA;;RP;037088f8-0ae1-11d2-b422-00a0c968f939;;RS)(OA;;RP;4c164200-20c0-11d0-a768-00aa006e0529;;RS)(OA;;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;;RS)(A;;RC;;;AU)(OA;;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;;AU)(OA;;RP;77B5B886-944A-11d1-AEBD-0000F80367C1;;AU)(OA;;RP;E45795B3-9455-11d1-AEBD-0000F80367C1;;AU)(OA;;RP;e48d0154-bcf8-11d1-8702-00c04fb96050;;AU)(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;WD)(OA;;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;;RS)(OA;;RPWP;bf967a7f-0de6-11d0-a285-00aa003049e2;;CA)
showInAdvancedViewOnly: FALSE
defaultHidingValue: FALSE
systemOnly: FALSE
defaultObjectCategory: CN=Person,CN=Schema,CN=Configuration,DC=X
systemFlags: 0

dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-
END CUT HERE
  6. Redefine the naming attribute for any existing InetOrgPerson objects:

    After the RDN attribute for a class is changed, all new instances of the class will use the new naming attribute. Ideally, the naming attribute should be defined prior to the creation of user accounts based on InetOrgperson because SIDS, password, and naming attribute for previous instances cannot be changed. To change the naming attribute for existing objects in Active Directory:
    1. Export the existing objects.
    2. Delete the existing objects from the directory.
    3. Import the data back into the directory of a domain controller for which the InetOrgPerson schema class has been modified.

REFERENCES

For information about making defunct classes, refer to the following Microsoft Web site:

http://msdn.microsoft.com/library/en-us/ad/ad/disabling_existing_classes_and_attributes.asp

Modification Type:MajorLast Reviewed:3/10/2006
Keywords:kbenv kbinfo KB307998
©2004 Microsoft Corporation. All rights reserved.