Not the comma!

There is a habit among some AD administrators to create their users so that the name is surname, firstname   – Note the comma between the two names. As an example the name would be

Brown, Bill

instaead of

Bill Brown

If you’re just using the GUI tools it doesn’t matter too much and has the arguable advantage of ordering the users by surname. But when it comes to scripting against AD this practice is a complete pain.

Compare these 2 distinguished names

CN=Brown, Bill,OU=Testing,DC=Manticore,DC=org

CN=Dave Green,OU=Testing,DC=Manticore,DC=org

Notice the extra comma in the first one. That destroys any chance of splitting the distinguished name on commas – which are the element separators in distinguished names.

You have to escape the comma in the name with a \

The GUI tools (at least in Windows server 2012 R2) do this for you so the distinguished name looks like this:

CN=Brown\, Bill,OU=Testing,DC=Manticore,DC=org

If you want to get a user by distinguished name this will work:

Get-ADUser -Identity ‘CN=Dave Green,OU=Testing,DC=Manticore,DC=org’

This won’t

Get-ADUser -Identity ‘CN=Brown, Bill,OU=Testing,DC=Manticore,DC=org’

You have to use the escaped version:

Get-ADUser -Identity ‘CN=Brown\, Bill,OU=Testing,DC=Manticore,DC=org’

In my last post I showed how to extract the users OU from the distinguished name

Get-ADUser -Filter * -Properties DisplayName |
select Name, DisplayName, UserPrincipalname, @{N= “Organanisational Unit” ;
E = {($_.DistinguishedName -split ‘,’, 2)[1]}}

That code breaks down if you have a comma in the name and you get


for the OU instead of


Its probably possible to do some regex voodoo to deal with this but as the Universe doesn’t have enough life left in it for me to figure this out I’ll resort to a brute force approach:

Get-ADUser -Filter * -Properties DisplayName |
foreach {
$ouf = ($_.DistinguishedName -split ‘,’, 2)[1]
if (-not ($ouf.StartsWith(‘OU’) -or $ouf.StartsWith(‘CN’) )){
  $ou = ($ouf -split ‘,’, 2)[1]
else {
  $ou = $ouf
$psitem | select Name, DisplayName, UserPrincipalname, @{N= “Organanizational Unit” ;E = {$ou}}

Do the inital split as previously but then test the reasults to see if it starts with CN= or OU=. If it doesn’t then split again.

Its not elegant but it works.

It sa lot easier if you don’t use the comma in the first place Smile

This entry was posted in PowerShell and Active Directory. Bookmark the permalink.

5 Responses to Not the comma!

  1. You’re right. It’s not elegant. It’s also very likely to be buggy. You should really use a regex.

    This is hardly Voodoo…

    If ($DistinguishedName -match ‘,\s*(OU=.*)’) {$Matches[1]}

    You can leave out the ‘\s*’ if you know there are no spaces between the comma and the ‘OU=’:

    If ($DistinguishedName -match ‘,(OU=.*)’) {$Matches[1]}

    • You could also use a regex to strip off the name, leaving the OU path. I’ll agree that the regex in this case is slightly more obtuse, but it’s still not difficult to understand:

      $DistinguishedName -replace ‘^CN=[^,]+,(?=OU=)’

      ^CN= … match ‘CN=’ at the start of the line
      [^,] … match any single character that isn’t a comma
      + … 1 or more times
      , … match a comma
      (?= … stop matching, but look-ahead in the remaining string
      OU= … for ‘OU=’
      ) … end of look-ahead

      Try RegexBuddy( – or any number of online resources.
      And I really recommend Jeffrey Friedl, “Mastering Regular Expressions”, O’Reilly, Second Edition. ISBN: 978-0-596-52812-6

      • $DistinguishedName -replace ‘^CN=[^,]+,(?=OU=)’

        is slightly more obtuse?

        I don’t find digging into the arcane mess that is regex to be a worthwhile activity when I can achieve what I need with simple string manipulations. Also I’m not going to understand what the regex is doing when I come back to it in 6 months but I will understand the string manipulations.

    • Don’t see how you can claim its going to be buggy. Its just standard string manipulation

  2. Endacott says:

    FYI, after SO much messing about, I found this worked for me…

    (Get-AdUser USER).distinguishedName.Split(‘,’,3)[2]
    OU=Operations,OU=Desktop Users,OU=AnotherOU,DC=domain,DC=com

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s