Active Directory & testing for user’s existence

 

When you are creating a new user you may want to test if a particular name is already is use. The Quest AD cmdlets provide great functionality but one area of confusion is where you are searching for a user by name:

PS> Get-QADUser -Identity “GREEN Dave” | ft -a

Name        Type DN
—-        —- —
GREEN Dave  user CN=GREEN Dave,CN=Users,DC=Manticore,DC=org
GREEN Dave2 user CN=GREEN Dave2,CN=Users,DC=Manticore,DC=org

But I didn’t ask for the second user. The problem is because the Quest cmdlets use s ANR – ambiguous name resolution when searching. This is equivalent to using “GREEN Dave*” in your search. In other words the cmdlets assume you are appending wildcards.

Way round it is to use an LDAP filter

PS> Get-QADUser -LdapFilter ‘(cn=GREEN Dave)’ | ft -a

Name       Type DN
—-       —- —
GREEN Dave user CN=GREEN Dave,CN=Users,DC=Manticore,DC=org

LDAP filters are also available with the Microsoft cmdlets (you can’t use name as a search with the identity parameter with the MS cmdlets)

PS> Get-ADUser -LdapFilter ‘(cn=GREEN Dave)’

DistinguishedName : CN=GREEN Dave,CN=Users,DC=Manticore,DC=org
Enabled           : True
GivenName         : Dave
Name              : GREEN Dave
ObjectClass       : user
ObjectGUID        : 28f0c168-d142-417f-a223-333488cdaa77
SamAccountName    : dgreen
SID               : S-1-5-21-3881460461-1879668979-35955009-6270
Surname           : GREEN
UserPrincipalName : dgreen@manticore.org

All of these alternatives will work

Get-ADUser -LdapFilter ‘(name=GREEN Dave)’
Get-QADUser -LdapFilter ‘(name=GREEN Dave)’
Get-QADUser -LdapFilter ‘(name=green dave)’
Get-ADUser -LdapFilter ‘(name=green dave)’

As an additional bonus with the Microsoft cmdlets you can write the filter using PowerShell syntax

Get-ADUser -Filter {name -eq ‘green dave’}

if you want to unambiguously resolve a name in an AD search – use an LDAP filter

About these ads
This entry was posted in PowerShell and Active Directory. Bookmark the permalink.

One Response to Active Directory & testing for user’s existence

  1. cavallogolooso says:

    Reblogged this on Depresso Gioioso.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s