[ActiveDir] Renaming user and group object CNs

[Frost, David: #CIO-BPI]

I have been researching the implication of modifying object CNs for users and groups in order to provide a) a more consistent cn format for objects in our directory, b) remove "special" characters such as /, #, and : that make dealing with objects via scripting difficult.   Courtesy of the Active Directory Connector for Exchange, our AD user and Group Objects have CN attributes that are copies of the Exchange 5.5 directory Display Name attribute.  Our initial testing did not seem to indicate that this would be a problem, but very shortly after we started to migrate users in production we noticed some issues and modified the ADC to stop this behaviour.  Problem was that all the distribution groups had already been migrated along with 200-300 user objects (hence the cn= ex5.5 display name).    Now that migration of users and groups from NT4 and Ex5.5 is complete (and has been for a number of months) the full impact (annoyance) of having these / , :, and # in the CN is is becoming visible. Command line tools such as dsquery etc, LDIFDE, CSVDE etc hiccup and generally add a number of flaming hoops to jump through to the point that I would like to rename the CNs on these objects (users and Universal distribution groups).     Is this possible to do on a large scale (200-300 users and 2700 + groups)? If so how, what are the gotchas etc....    Thanks in advance.