IT departments in companies usually use the Active Directory directory service from Microsoft in their system landscape. User accounts, groups and other objects are stored and managed there.
This article goes into the specifics of group names and the various Active Directory attributes, such as “name”, “commonName” (“cn” for short) or “displayName”.
Initial Situation
If you create a group via the “Active Directory Users and Computers” console, the attributes “cn”, “name” and “samAccountName”, among others, are assigned. At this point, this behavior is already fundamentally different from user accounts. In the case of user accounts, the attribute “displayName” is also automatically assigned, which does not happen when groups are created.
Especially when groups are also created via other tools that also assign the “displayName” attribute, confusion can arise among administrators. Since the “displayName” for a group object is not a mandatory attribute, you probably have groups with and without assigned “displayName” afterwards.
Creation of a Group with assigned "displayName"
If you want to create new groups with filled “displayName”, you have to fill in this attribute manually when using the “Active Directory Users and Computers” console after creation.
An alternative is to create the groups via PowerShell. Using PowerShell, the administrator has more flexibility and can automate the creation of groups using scripts if necessary.
The following command creates a group object and also assigns the attribute “displayName” during the creation:
The result of the group plant looks like this:
Depending on what kind of group is to be created, the switches “-GroupScope” and “-GroupCategory” can be adjusted. The following values can be used:
- GroupScope
- Global
- Universal
- Domain Local
- GroupCategory
- Security
- Distribution
Additional attributes can also be assigned when creating a new group via PowerShell. You can find further information at https://docs.microsoft.com/en-us/powershell/module/activedirectory/new-adgroup?view=windowsserver2022-ps.
Are you looking for professional advice?
Do you need support in optimizing your file servers? Feel free to contact us!
Rename a Group
If a group needs to be renamed, the administrator again has several options. The best known way is again the use of the “Active Directory Users and Computers” console.
It should be noted that the attribute “displayName” is not changed if it is already assigned.
As can be seen, only the attributes “cn”, “name” and “samAccountName” were adjusted during the renaming. The attribute “displayName” still contains the original value before the renaming. This attribute would now have to be manually adjusted again.
To avoid this problem, it is again recommended to rename the group via PowerShell. The following two commands are necessary for this:
In this case, all desired Active Directory attributes are renamed as well and you have a consistent state across the different name attributes of Active Directory groups.
