Learn about Windows PowerShell
Hey, Scripting Guy! How can I rename an Active Directory group?-- CL
Hey, CL. This is actually pretty easy; as you’ll see, it only takes two lines of code. It’s not a hard problem, it’s just a little bit tricky. That’s because ADSI (at least when it comes to dealing with Active Directory) does not have a Rename method. Instead, you need to use the MoveHere method to “move” the account from its current ADsPath to a new ADsPath. The trick is that the new path differs in only one respect: the CN (common name). Giving the object a new CN effectively renames it.
Confused? We don’t blame you. So let’s give you an example. Suppose we have a group with an ADsPath similar to this (remember, the ADsPath is the unique path that allows us to locate the object in Active Directory):
LDAP://cn=FinAdmins, ou=Finance, dc=fabrikam, dc=com
Notice that the CN for the group is FinAdmins. We’d like the CN for the group to be Finance Managers; in other words, we’d like the ADsPath for the object to look like this:
LDAP://cn=Finance Managers, ou=Finance, dc=fabrikam, dc=com
We know what you’re thinking, but Active Directory won’t let us directly change the value of the CN attribute; that is, we can’t use code like this to change the CN:
objGroup.CN = "Finance Managers"
But that’s all right; we’ll just “move” the group. The group started out with this ADsPath:
Now we’re going to move it to this ADsPath:
The group will still be in the Finance OU, and it will still have all its existing properties and members; it’s the same group, it just has a new ADsPath, and a new CN. Yes, it’s a little weird, but, hey, it works. And it’s no different than using the Move command to rename a file. If you type this from the command prompt, it will rename the file C:\Logs\New.log to C:\Logs\Old.log:
move c:\logs\new.log c:\logs\old.log
So what does the code actually look like to rename the group? It looks an awful lot like this:
Set objDomain = GetObject("LDAP://ou=finance, dc=fabrikam, dc=com")
"LDAP://cn=FinAdmins,ou=Finance,dc=fabrikam,dc=com", "cn=Finance Managers"
Like we said, pretty easy. We bind to the Finance OU (the container where the group account resides), and then call the MoveHere method. We need to pass MoveHere two parameters: the ADsPath to the object we want to rename (LDAP://cn=FinAdmins,ou=Finance,dc=fabrikam,dc=com) , and then new CN for the object (cn=Finance Managers). That’s it. Run the script, and the group will be renamed.
public class RenameObject
public static void Main()
DirectoryEntry de = new DirectoryEntry(
"LDAP://192.168.1.100/ou=auditing, ou=accounting, dc=ispnet1, dc=net",
"cn=Administrator, dc=ispnet1, dc=net", "password",
DirectoryEntries des = de.Children;
DirectoryEntry badObject = des.Find("cn=test");
This doesn't work. When I run the code at the end of this article, I get:
Set-Variable : A positional parameter cannot be found that accepts argument 'GetObject'.
At line:1 char:1
+ Set objDomain = GetObject("LDAP://OU=REDACTED ...
+ CategoryInfo : InvalidArgument: (:) [Set-Variable], ParameterBindingException
+ FullyQualifiedErrorId : PositionalParameterNotFound,Microsoft.PowerShell.Commands.SetVariableCommand
See also PowerShell's rename-adobject method: