0X000020A0

0x000020A0 Fix: Name isn't an object in Active Directory

Windows Errors Intermediate 👁 0 views 📅 May 26, 2026

This error means a DN in Active Directory points to a container or something that isn't a normal object. The fix is usually a typo or wrong object type in your query.

Cause 1: You're querying a container or organizational unit as if it were a user or computer

This is the most common reason people see error 0x000020A0. You're running a script, a tool, or an LDAP query that expects a leaf object—like a user, group, or computer—but the distinguished name (DN) you fed it actually points to an organizational unit (OU) or a container.

Let me give you a concrete example. Say you're using ADSI Edit or a PowerShell script to fetch attributes from what you think is a user object:

Get-ADUser -Identity "CN=Sales,OU=Users,DC=contoso,DC=com"

But in reality, "Sales" is not a user—it's an OU full of users. The Get-ADUser cmdlet expects a security principal (user, computer, or group), not a container. So you get error 0x000020A0: "The name does not identify an object."

The fix: verify the object class

  1. Open Active Directory Users and Computers (dsa.msc).
  2. Enable Advanced Features from the View menu.
  3. Right-click the object in question and choose Properties.
  4. Go to the Attribute Editor tab. Look for the attribute objectClass.
  5. If you see values like organizationalUnit or container, that's your problem.

After checking: You'll see the objectClass listed. If it's not user, computer, group, or inetOrgPerson, then the DN doesn't point to an object the way you expected. Change your script or query to target the correct leaf object. Or, if you meant to target the OU, use the appropriate cmdlet like Get-ADOrganizationalUnit.

Cause 2: Typo or wrong distinguished name in the query

This one sneaks up on people all the time. You copy a DN from somewhere, paste it into a script, and there's a stray space, a wrong comma, or the CN doesn't match exactly. The LDAP server parses it and can't find an object that matches—so it returns 0x000020A0.

Real-world trigger: You exported a list of users from one domain and tried to import them into another domain. The DNs from Domain A don't match Domain B's structure. Or someone manually typed a DN and missed a character.

The fix: validate the DN with a quick LDAP search

  1. Open PowerShell as administrator.
  2. Run this command, replacing CN=John Doe,OU=Users,DC=contoso,DC=com with your suspect DN:
Get-ADObject -Identity "CN=John Doe,OU=Users,DC=contoso,DC=com"

After running: If you get the same error, the DN is wrong. If you get no error and see object details, the DN is valid—but it might still be the wrong type (see Cause 1).

To double-check the exact correct DN, use this command and replace John Doe with the name you think it should be:

Get-ADUser -Filter {Name -eq "John Doe"} | Select-Object DistinguishedName

Compare the output character by character with what you're using. A missing space or different OU path will cause the error.

Cause 3: The object has been moved, deleted, or renamed

You might have a script or application that caches a distinguished name. The object was moved to a different OU, deleted, or renamed. The cached DN now points to nowhere—or to an empty spot. AD returns 0x000020A0 because the name string itself is syntactically valid but doesn't match any live object.

I've seen this happen most often with scheduled tasks that do LDAP lookups against stale data. A user leaves the company, their account gets disabled and moved to a "Disabled Users" OU. The next day, the script fails with this exact error.

The fix: find the current object and update your reference

  1. Run a broad search to locate the object regardless of its current location. Use PowerShell with an unambiguous attribute like SamAccountName or UserPrincipalName:
Get-ADObject -Filter {SamAccountName -eq "jdoe"} -Properties *

After running: You'll either see the object with its new DN, or you'll get nothing—which means it was deleted. If it's deleted, you can recover it from the AD Recycle Bin if it's enabled.

If it was deleted and you need it back:

  1. Open Active Directory Administrative Center (dsac.exe).
  2. In the left pane, click your domain name.
  3. Double-click Deleted Objects in the main pane.
  4. Find the object, right-click it, and choose Restore.
  5. After restore, run the Get-ADObject search again to get the current DN.

Then update your script or application with the corrected DN. Don't just hardcode it—consider using a filter by SamAccountName or GUID instead, which won't change if the object moves.

Quick-reference summary table

Cause Symptom Fix
Querying container/OU as a leaf object Error on Get-ADUser or similar cmdlet Check objectClass; use correct cmdlet (e.g., Get-ADOrganizationalUnit)
Typo or wrong DN Error on any LDAP operation with that DN Validate DN with Get-ADObject; compare to actual object's DN
Object moved, deleted, or renamed Error after a known change in AD structure Search by SamAccountName or GUID; restore from Recycle Bin if needed

Most people hit Cause 1. Start there. If that's not it, move to Cause 2, then 3. Don't jump around—you'll just waste time. And if you're still stuck after all three, check your application logs. Sometimes the error is a red herring, and the real problem is permissions or a network issue.

Was this solution helpful?

0x000020A0 ERROR_DS_NOT_AN_OBJECT Active Directory error LDAP name not an object Win32 error 8360 ADSI edit fix distinguished name wrong type container vs object error AD lookup fails DNS misconfiguration AD