How Can I Rename an Active Directory Group?

Hey, Scripting Guy! Question

Hey, Scripting Guy! How can I rename an Active Directory group?

— CL

SpacerHey, Scripting Guy! AnswerScript Center

Hey, CL. This is actually pretty easy; as you’ll see, it only takes two lines of code. It’s not a hard problem, it’s just a little bit tricky. That’s because ADSI (at least when it comes to dealing with Active Directory) does not have a Rename method. Instead, you need to use the MoveHere method to “move” the account from its current ADsPath to a new ADsPath. The trick is that the new path differs in only one respect: the CN (common name). Giving the object a new CN effectively renames it.

Confused? We don’t blame you. So let’s give you an example. Suppose we have a group with an ADsPath similar to this (remember, the ADsPath is the unique path that allows us to locate the object in Active Directory):

LDAP://cn=FinAdmins, ou=Finance, dc=fabrikam, dc=com

Notice that the CN for the group is FinAdmins. We’d like the CN for the group to be Finance Managers; in other words, we’d like the ADsPath for the object to look like this:

LDAP://cn=Finance Managers, ou=Finance, dc=fabrikam, dc=com

We know what you’re thinking, but Active Directory won’t let us directly change the value of the CN attribute; that is, we can’t use code like this to change the CN:

objGroup.CN = “Finance Managers”

But that’s all right; we’ll just “move” the group. The group started out with this ADsPath:

LDAP://cn=FinAdmins, ou=Finance, dc=fabrikam, dc=com

Now we’re going to move it to this ADsPath:

LDAP://cn=Finance Managers, ou=Finance, dc=fabrikam, dc=com

The group will still be in the Finance OU, and it will still have all its existing properties and members; it’s the same group, it just has a new ADsPath, and a new CN. Yes, it’s a little weird, but, hey, it works. And it’s no different than using the Move command to rename a file. If you type this from the command prompt, it will rename the file C:\Logs\New.log to C:\Logs\Old.log:

move c:\logs\new.log c:\logs\old.log

Same idea.

So what does the code actually look like to rename the group? It looks an awful lot like this:

Set objDomain = GetObject(“LDAP://ou=finance, dc=fabrikam, dc=com”)
objDomain.MoveHere _
“LDAP://cn=FinAdmins,ou=Finance,dc=fabrikam,dc=com”, “cn=Finance Managers”

Like we said, pretty easy. We bind to the Finance OU (the container where the group account resides), and then call the MoveHere method. We need to pass MoveHere two parameters: the ADsPath to the object we want to rename (LDAP://cn=FinAdmins,ou=Finance,dc=fabrikam,dc=com) , and then new CN for the object (cn=Finance Managers). That’s it. Run the script, and the group will be renamed.