Monthly Archive

User naming conventions

It is a very good idea to have a naming convention for user names in your AD. It is an even better idea to enforce that convention by automating user creation. There are many possible conventions:

  • Firstname Lastname
  • Lastname Firstname
  • LASTNAME Firstname

and so on.  I tend to use LASTNAME Firstname if I can.

One convention to avoid if at all possible is putting a comma in the name – Lastname,Firstname

It looks OK in AD Users and Computers but it is a pain when scripting

Consider this code

$name = "Lastname,Firstname"            
$ou = "OU=Blogtests,DC=Manticore,DC=org"            
            
$dn = "cn=$name,$ou"            
            
            
"`nMicrosoft"            
Get-ADUser -Identity $dn |             
Format-Table Name, DistinguishedName            
             
"`nAD provider"            
Get-ChildItem -Path AD:\$dn |             
Format-Table Name, DistinguishedName            
            
"`nQuest"            
Get-QADUser -Identity $dn -SizeLimit 3000 |            
Format-Table Name, DN            
            
"`nScript"            
[adsi]"LDAP://$dn" |            
Format-Table Name, DistinguishedName

On the face of it these should work – problem is that none of them will. That’s right NONE.

You will get errors like

Cannot find an object with identity: 'cn=Lastname,Firstname,OU=BlogTests,DC=Manticore,DC=org' under: 'DC=Manticore,DC=org'.

Cannot find path '//RootDSE/cn=Lastname,Firstname,OU=BlogTests,DC=Manticore,DC=org' because it does not exist.

The following exception occurred while retrieving member "Name": "An invalid dn syntax has been specified.

 

Why is this happening?

The clue is in the distinguished name we’ve created

cn=Lastname,Firstname,OU=England,DC=Manticore,DC=org

 

Distinguished names are of the form

x=A,y=B,z=C

where x,y,z are CN, OU or DC     and a,b,c are names, OUs or parts of the domain name

we have introduced another comma but it doesn’t fit the pattern

Two options:

BEST – don’t use commas

if you have to use commas you have to escape them in the distinguished name so that AD, LDAP and ADSI remain happy

You need to use the back slash character “\” like this

$name = "Lastname\,Firstname"            
$ou = $ou = "OU=Blogtests,DC=Manticore,DC=org"            
            
$dn = "cn=$name,$ou"            
            
            
"`nMicrosoft"            
Get-ADUser -Identity $dn |             
Format-Table Name, DistinguishedName            
             
"`nAD provider"            
Get-ChildItem -Path AD:\$dn |             
Format-Table Name, DistinguishedName            
            
"`nQuest"            
Get-QADUser -Identity $dn -SizeLimit 3000 |            
Format-Table Name, DN            
            
"`nScript"            
[adsi]"LDAP://$dn" |            
Format-Table Name, DistinguishedName

Easy but a pain to remember.  Best not to use commas

Leave a Reply