Jaa


msDS-parentdistname vs. parentGUID

Last week I wrote about mirroring an OU structure, from a source domain to a test domain, with the help of a couple of PowerShell scripts.

The first script had to capture the distinguished name of the parent object of each OU found in the source domain. This would allow me to make sure that an equivalent parent object existed in the target domain before attempted to create the child OU.

Looking into how to obtain the parent object distinguished name, I came across the msDS-parentdistname attribute. Take a look-see:

Get-ADOrganizationalUnit -Filter * -Properties msDS-parentdistname | Select-Object DistinguishedName,msDS-parentdistname

 

Get-ADUser -Filter * -Properties msDS-parentdistname | Select-Object DistinguishedName,msDS-parentdistname

 

 

Did that work for you? If not, it'll probably be because you don't have the msDS-parentdistname attribute, as it was introduced in Windows Server 2012 R2! Have a look for msDS-parentdistname in this ldf file that comes with Windows Server 2012 R2:

Sch60.ldf

  

I realised that not everyone will have the Windows Server 2012 R2 schema, so I needed another way of obtaining the parent object's distinguished name. I turned to the trusty and ancient parentGUID attribute. Here's how I obtain it and then convert it from a byte array, i.e. an array of bytes, back to a usable GUID...

First, retrieve an OU object and assign it to the $Ou variable. Notice that we ask for the parentGUID property:

$Ou = Get-ADOrganizationalUnit -Identity "OU=Lab Accounts,DC=halo,DC=net"-Properties ParentGuid

 

Let's take a look at the ParentGuid attribute for the OU object:

 

Next, I need to convert the byte array into an actual GUID. I cast the $Ou.ParentGuid byte array as a System.Guid object by using the [GUID] type accelerator. I then ask for the Guid property and assign that to $ParentGuid:

$ParentGuid = ([GUID]$Ou.ParentGuid).Guid

   
Now, we can feed the GUID stored in $ParentGuid into the Get-ADObjectCmdlet. The result is assigned to $ParentObject.

$ParentObject = Get-ADObject -Identity $ParentGuid

 

Finally, the parent object's distinguished name:

$ParentObject.DistinguishedName

 

Compared to using the msDS-parentdistname constructed attribute, the above example is a little more work, but I get same result AND I don't have to worry about schema versions.

 

  "...why, 'tis a happy thing
To be the father unto many sons."