You can rename user accounts in Active Directory in several ways. You can use AD graphical snap-ins, command-line tools, or PowerShell cmdlets. Let’s explore these methods.
Table of Contents
How to Rename an Active Directory User with Active Directory Users and Computers Console?
The easiest and most intuitive way to rename an AD user is to use the Active Directory Users and Computers snap-in (ADUC).
- Open the ADUC console by running the dsa.msc command on your domain controller or a computer with Remote Server Administration Tools (RSAT) installed.
- Use the Active Directory search to find the user you want to rename. Right-click the user and click Rename.
Or expand the Active Directory OU where the user is located, right-click on the user, and click Rename.
- Open the user properties and navigate to the Object tab. The user’s full name is specified in the Canonical name of the object field. This is the name that is displayed in the ADUC console and other Windows and AD tools;
To rename a user, right-click on it and select Rename;
- In the “Rename User” window that opens, you can change the Full name (Canonical name of the object), First name, Last name, Display Name, as well as the userPrincipalName and userlogonname (samAccountName) attributes. Click OK to save the changes.
How to Rename an Active Directory User with PowerShell?
You can use cmdlets from the PowerShell Active Directory module module to rename a user in AD. The base cmdlets are Rename-ADObject and Set-ADUser.
- Rename-ADObject — allows you to change the values of the attributes: cn, distinguishedName, name;
- Set-ADUser — allows you to change givenName, surname, displayName, and other attributes.
In short, Rename-ADObject renames the Relative Distinguished Name (RDN) and Set-ADObject updates the givenName, surname, and displayName.
Renaming a user using the Rename-ADObject requires the distinguishedName or objectGUID of the user to rename.
For example, to rename the user “Christopher Wilson”, let’s first get its distinguishedName or objectGUID by running this command.
Get-ADUser cwilson
Run the Rename-ADObject command, specify the distinguishedName or objectGUID to the -Identity parameter, and specify the new name in the -NewName parameter.
Rename-ADObject ` -Identity 88df7b6e-ab12-416b-b2c3-fabee0e29015 ` -NewName 'Chris Wilson'
Hint. You can add the PowerShell -WhatIf parameter to a command to get information about the command’s operation.
To make the command easier, you can get the user’s identity by name or samAccountName with the Get-ADUser cmdlet:
Get-ADUser cwilson | Rename-ADObject -NewName 'Chris Wilson'
Let’s review the results. Run this command to show specific attributes.
Get-ADUser cwilson -Properties DisplayName, SurName | Select-Object ObjectGUID, DistinguishedName, Name, DisplayName, GivenName, SurName
As you can see, the Rename-ADObject command changed only the RDN and Name attributes to match the new name. The GivenName and DisplayName are unaffected. Why? Because the Rename-ADObject command is a general-purpose cmdlet to rename AD objects, such as computers and groups, to which the GivenName and SurName do not apply.
The following command updates the user’s GivenName, SurName, and DisplayName attributes.
Get-ADUser cwilson | Set-ADUser -GivenName Chris -Surname Wilson -DisplayName 'Chris Wilson'
As you can see, the DistinguishedName, Name, DisplayName, GivenName, and SurName attributes are uniformly changed by the Set-ADUser command. The DistinguishedName and Name attributes are automatically composed based on the GivenName and SurName combination.
If you need to rename the login name and user principal name attributes, use the -SamAccountName <new SAM> and -UserPrincipalName <new UPN> parameters.
How to Rename an Active Directory User with Visual Basic Script?
If you’re stuck with an older Windows Server or the environment does not permit using PowerShell, you can still use VBS.
For your convenience, you can download the Visual Basic Script from this link – RenameADUser.vbs.
This script has the following parameters:
- OldUserDN (Required) — This is the user’s current DistinguishedName (e.g., “CN=Olivia Hill,OU=Users,OU=California,OU=USA,DC=theitbros,DC=com”)
- NewName (Required) — The user’s new name (e.g., “Olive Douglas”)
- NewGivenName (Optional) — The new given name or first name value
- NewSurname (Optional) — The new surname or last name value
- NewDisplayName (Optional) — The new display name
- NewSamAccountName (Optional) — The new username.
- NewUserPrincipalName (Optional) — The new UPN.
Follow these steps to use this VB Script to rename an Active Directory user.
- Once you’ve downloaded the script, open PowerShell or CMD.
- Change the working directory to where you saved the script.
- Run the following command to rename AD user. The user will be renamed from Olivia Hill to Olive Douglas in this example. The username and UPN will be changed to odouglas and odouglas@theitbros.com, respectively.
cscript.exe //nologo RenameADUser.vbs /OldUserDN:"CN=Olivia Hill,OU=Users,OU=California,OU=USA,DC=theitbros,DC=com" /NewName:"Olive Douglas" /NewGivenName:"Olive" /NewSurName:"Douglas" /NewDisplayName:"Olive Douglas" /NewSamAccountName:"odouglas" /NewUserPrincipalName:"odouglas@theitbros.com"
How to Rename an Active Directory User with Management Tools Command-Line?
Before PowerShell and the ActiveDirectory module, there was the Management and Tools for Windows Server. Part of the suite is the dsmove and dsmod commands.
- dsmove — Moves a single AD object to another path or renames RDN the same AD object without moving.
- dsmod user — Modifies the attributes of an Active Directory user.
First, find the user to rename using the dsquery user command. This step is optional and only for comparison of results later.
dsquery user -samid cwilson | dsget user -dn -display -fn -ln
Once we confirm the user, run this command to rename it.
# Rename dsquery user -samid cwilson | dsmove -NewName 'Christopher Wilson' # Display Attributes dsquery user -samid cwilson | dsget user -dn -display -fn -ln
As expected, the command only renamed the user’s RDN, and the first, last, and display names are untouched.
To change the first name, last name, and display name, we must run the dsmod command.
dsquery user -samid cwilson | dsmod user -fn 'Chris' -ln "Wilson" -display 'Chris Wilson'
How to Rename an Active Directory User with ADSI Edit?
While impractical and risky, you can use the ADSI Edit tool to rename a user. ADSI Edit is a low-level editor, which means you can change any value without error-checking and validation.
But if you’re in a situation where you can only use ADSI Edit, here’s how.
- Run the adsiedit.msc command to launch the ADSI Edit.
- Click Action → Connect to → Select a well known Naming Context (Default naming context) → OK.
- Navigate to the OU where the user to rename is located.
- Right-click on the user object and click Properties.
- Double-click to edit the following attributes to rename the user.
- displayName — The user’s display name.
- givenName — The user’s first name.
- sn — The user’s last name.
You can also modify the samAccountName and userPrincipalName to change the user’s logon name and UPN.
A couple of reminders when using this method to rename a user in Active Directory.
- You cannot rename the distinguishedName attribute because it is read-only in ADSI Edit.
- You cannot rename the cn (full name) attribute because the system owns it. You will get the following error if you attempt to modify this attribute.
Conclusion
Changing a username in Active Directory is a straightforward process that involves a few simple steps. Following the guidelines outlined in this guide, you can efficiently update usernames while ensuring the integrity of user accounts and system functionality.
Remember to back up any critical data before making changes and adhere to your organization’s policies to maintain security and consistency across the network.