|
exchange
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Changing common name to network ID and Exchange ramifications?and users with email in the organization. Due to the fact that many people within the same OU's have exactly the same names this is causing some issues. The group is proposing to change the CN to the network ID so all will be unique. There are other reasons behind this as well but won't go into those now. As far as Exchange, what do you see as being a problem or possible issue with doing this? Granted the GAL in Exchange would be affected and display the Network ID instead of the full name, correct? Anyway, if you all have any things we should be aware of I would appreciate you letting me know! Here is a copy of the idea that may occur. The change, in simple terms is to rename every user in the domain (ie change the CN attribute) to match the samAccountName rather than the Display Name as is currently the case. This has 2 primary benefits that I can see; Firstly it will simplify the user creation process and remove an old problem that we see occuring an an all too frequent basis. The problem is that the CN must be unique within a given OU. It happens reasonably frequently that a new user in, or a user transfering to, a given Division or Unit has exactly the same Display Name as another user that is already in the Division or Unit. To allow the new user or transfer user to occur, workarounds have had to be implemented. This problem will be dramatically increased if we ever get around to collapsing the existing user heirachy into department level structure. The second benefit is a protective measure for the future and is related to the soon to go live e-Key project. As part of this project, we have implemented a Microsoft Certificate Authority. With the distribution of the e-Key's, each and every user will have a token that holds the keys for a Microsoft Certificate. This certificate will have a subject name of CN=<......>,OU=.....,OU=......,DC=COMPANY,DC=COM This certificate (ie the keys associated with it) could be used to secure the users access to a number of services internal and external to the Company network. An example is the SSL VPN. The problem is that most appliances when secured with a certificate will check if the CN attribute matches the users login name (ie, if I log in with userid into the appliance it will check to see if there is a certificate in my store that has the form CN=userid,........). This won't work if the CN is set to some abstract Display Name. Additionally we have seen some issues related to the fact that the CN has a comma in it - applications have to be careful to quote the errant comma - life would be much simpler if this was not the case. The Entrust CA & Internet LDAP people discovered this issue some number of years back. They saw that when they issued what they call a "Web Certificate" to the existing users in the LDAP directory that it was not fully functional. They came up with the most horrible of solutions - if anyone wants a web certificate, they create a completely new user object in the directory with CN=<networkID>. This solution is not workable with us as (1) we intend for every user to be given a certificate and (2) the same certificate is to be used for smartcard login and so it must relate to the actual user. Again, thanks for checking this out and giving suggestions. Thank you! What?
What problems are you seeing? You have gone through an epic tome on this when all you needed to do was to change the display name so that people can see who to Administer or send email to. The SMTP addresses are unique anyway.  |
|||||||||||||||||||||||
Other interesting topics