Seek and Destroy duplicate AD objects with CNF in the name

Posted: November 22, 2014 in Active Directory, Configuration Manager, Information
Tags: , , , ,

For various reasons, there are times when Active Directory may encounter a situation where multiple objects appear. The duplicates will be named with a CNF:[GUID] on the end of the name.

Here is an excellent Microsoft blog post with an explanation of why it happens and some simple commands to find these objects. It is an issue we encounter at times with Configuration Manager boundaries and slow AD replication, but could happen for many other object types also.

For a slightly simpler method, here is my approach to using AD Users and Computers to find and delete them.

In this example I am looking specifically in the “System Management” container, but you could apply it at the root of the tree to find any duplicates

  1. Create a new saved query in AD Users and Computers
  2. Set “System\System management” as the Query root (you need “Advanced view” enabled)
  3. Define a “Custom Search” and in the Advanced tab enter (cn=*cnf:*)
  4. Now just refresh the query to find the duplicates, select and delete


  1. gsdroubi says:

    Windows cannot delete object
    cnf:xxxxxxxx because: a referral was returned from the server when search from entire directory
    when search from domain:no match

    • Scott says:

      This is an error you are seeing? Are you logged in as a domain admin or an account that has permissions to delete those objects?

      • gsdroubi says:

        I did all these steps,and showed 0 entries
        bit still unable to publish topoply due to the existence of users,contacts,..
        Is there any tool which shows what r the users contacts they still in the pool

        all down gave 0 entries
        any help

      • gsdroubi says:

        I want to decommission the pool lync 2010,i have already remove all users to lync 2013,but whenever I want to publish this new topology,it gives this error,any hint to check what is the orphaned user

  2. Bobby says:

    Nice! I love a clean AD.

  3. Neeraj says:

    is is safe to delete duplicate entries which have CNF for system mailboxes or we need to validate anything before that.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s