Categories

User naming conventions

It is a very good idea to have a naming convention for user names in your AD. It is an even better idea to enforce that convention by automating user creation. There are many possible conventions:

  • Firstname Lastname
  • Lastname Firstname
  • LASTNAME Firstname

and so on.  I tend to use LASTNAME Firstname if I can.

One convention to avoid if at all possible is putting a comma in the name – Lastname,Firstname

It looks OK in AD Users and Computers but it is a pain when scripting

Consider this code

$name = "Lastname,Firstname"            
$ou = "OU=Blogtests,DC=Manticore,DC=org"            
            
$dn = "cn=$name,$ou"            
            
            
"`nMicrosoft"            
Get-ADUser -Identity $dn |             
Format-Table Name, DistinguishedName            
             
"`nAD provider"            
Get-ChildItem -Path AD:\$dn |             
Format-Table Name, DistinguishedName            
            
"`nQuest"            
Get-QADUser -Identity $dn -SizeLimit 3000 |            
Format-Table Name, DN            
            
"`nScript"            
[adsi]"LDAP://$dn" |            
Format-Table Name, DistinguishedName


On the face of it these should work – problem is that none of them will. That’s right NONE.



You will get errors like



Cannot find an object with identity: 'cn=Lastname,Firstname,OU=BlogTests,DC=Manticore,DC=org' under: 'DC=Manticore,DC=org'.



Cannot find path '//RootDSE/cn=Lastname,Firstname,OU=BlogTests,DC=Manticore,DC=org' because it does not exist.



The following exception occurred while retrieving member "Name": "An invalid dn syntax has been specified.



 



Why is this happening?



The clue is in the distinguished name we’ve created



cn=Lastname,Firstname,OU=England,DC=Manticore,DC=org



 



Distinguished names are of the form



x=A,y=B,z=C



where x,y,z are CN, OU or DC     and a,b,c are names, OUs or parts of the domain name



we have introduced another comma but it doesn’t fit the pattern



Two options:



BEST – don’t use commas



if you have to use commas you have to escape them in the distinguished name so that AD, LDAP and ADSI remain happy



You need to use the back slash character “\” like this



$name = "Lastname\,Firstname"            
$ou = $ou = "OU=Blogtests,DC=Manticore,DC=org"            
            
$dn = "cn=$name,$ou"            
            
            
"`nMicrosoft"            
Get-ADUser -Identity $dn |             
Format-Table Name, DistinguishedName            
             
"`nAD provider"            
Get-ChildItem -Path AD:\$dn |             
Format-Table Name, DistinguishedName            
            
"`nQuest"            
Get-QADUser -Identity $dn -SizeLimit 3000 |            
Format-Table Name, DN            
            
"`nScript"            
[adsi]"LDAP://$dn" |            
Format-Table Name, DistinguishedName


Easy but a pain to remember.  Best not to use commas

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>