When you perform a search for objects such as Users, Computers, Contacts, and Groups in the Active Directory using the Find command, an administrator may need to identify where the objects are located within the Active Directory structure. This article describes how to display and interpret this additional information. This one has stumped me for years and I finally figured it out.
When Users, Contacts, and Groups Are Found
- On the View menu, click Choose Columns in the Find Users, Contacts, and Groups dialog box.
- In the Columns Available box, click X500 Distinguished Name, click Add, and then click OK.
Depending on how many levels deep the User, Contact, or Group is located, there may be multiple parent containers. Levels of hierarchy in the DN and separation of leaf objects from container objects are identified by commas. To identify the direct parent of the object found, locate the first comma. The most immediate parent container is to the right. The name of the container may be preceded with “OU=” in place of “CN=,” identifying it as an Organizational Unit.
For example, if the user “administrator” is found, the X500 Distinguished Name may display the following information, indicating that the “Administrator” account resides in the “Users” container directly beneath the root of the domain:
However, if the user had been moved to an Organizational Unit used for the purpose of delegating permissions, this path might be:
Or, there may be several parent containers:
When Computers Are Found
The process to display the parent container for Computer objects found is very similar to the above steps, except for the attribute name to display and the format used.
- On the View menu, click Choose Columns in the Find Computers dialog box.
- In the Columns Available box, click Published At, click Add, and then click OK.
The path to the object displayed in the “Published At” column is presented in Canonical Name format. The path is read right to left, starting with the object found, separated by forward slashes.
For example, if the computer “Server1” was found, the “Published At” column may display the following information, indicating that the “Server1” computer account resides in the “Computers” container directly beneath the root of the domain:
Determining the parent container for other objects in the Active Directory is very similar to the process outlined above. When a column is added to the view, this setting is saved (per user) for the next time the snap-in is used.