User naming conventions

It is a very good idea to have a naming convention for user names in your AD. It is an even better idea to enforce that convention by automating user creation. There are many possible conventions:

  • Firstname Lastname
  • Lastname Firstname
  • LASTNAME Firstname

and so on.  I tend to use LASTNAME Firstname if I can.

One convention to avoid if at all possible is putting a comma in the name – Lastname,Firstname

It looks OK in AD Users and Computers but it is a pain when scripting

Consider this code

$name = "Lastname,Firstname"            
$ou = "OU=Blogtests,DC=Manticore,DC=org"            
            
$dn = "cn=$name,$ou"            
            
            
"`nMicrosoft"            
Get-ADUser -Identity $dn |             
Format-Table Name, DistinguishedName            
             
"`nAD provider"            
Get-ChildItem -Path AD:\$dn |             
Format-Table Name, DistinguishedName            
            
"`nQuest"            
Get-QADUser -Identity $dn -SizeLimit 3000 |            
Format-Table Name, DN            
            
"`nScript"            
[adsi]"LDAP://$dn" |            
Format-Table Name, DistinguishedName

On the face of it these should work – problem is that none of them will. That’s right NONE.

You will get errors like

Cannot find an object with identity: ‘cn=Lastname,Firstname,OU=BlogTests,DC=Manticore,DC=org’ under: ‘DC=Manticore,DC=org’.

Cannot find path ‘//RootDSE/cn=Lastname,Firstname,OU=BlogTests,DC=Manticore,DC=org’ because it does not exist.

The following exception occurred while retrieving member “Name”: “An invalid dn syntax has been specified.

 

Why is this happening?

The clue is in the distinguished name we’ve created

cn=Lastname,Firstname,OU=England,DC=Manticore,DC=org

 

Distinguished names are of the form

x=A,y=B,z=C

where x,y,z are CN, OU or DC     and a,b,c are names, OUs or parts of the domain name

we have introduced another comma but it doesn’t fit the pattern

Two options:

BEST – don’t use commas

if you have to use commas you have to escape them in the distinguished name so that AD, LDAP and ADSI remain happy

You need to use the back slash character “\” like this

$name = "Lastname\,Firstname"            
$ou = $ou = "OU=Blogtests,DC=Manticore,DC=org"            
            
$dn = "cn=$name,$ou"            
            
            
"`nMicrosoft"            
Get-ADUser -Identity $dn |             
Format-Table Name, DistinguishedName            
             
"`nAD provider"            
Get-ChildItem -Path AD:\$dn |             
Format-Table Name, DistinguishedName            
            
"`nQuest"            
Get-QADUser -Identity $dn -SizeLimit 3000 |            
Format-Table Name, DN            
            
"`nScript"            
[adsi]"LDAP://$dn" |            
Format-Table Name, DistinguishedName

Easy but a pain to remember.  Best not to use commas

This entry was posted in PowerShell and Active Directory. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s