Categories

Active Directory & testing for user’s existence

 

When you are creating a new user you may want to test if a particular name is already is use. The Quest AD cmdlets provide great functionality but one area of confusion is where you are searching for a user by name:

PS> Get-QADUser -Identity "GREEN Dave" | ft -a

Name        Type DN
----        ---- --
GREEN Dave  user CN=GREEN Dave,CN=Users,DC=Manticore,DC=org
GREEN Dave2 user CN=GREEN Dave2,CN=Users,DC=Manticore,DC=org

But I didn’t ask for the second user. The problem is because the Quest cmdlets use s ANR – ambiguous name resolution when searching. This is equivalent to using "GREEN Dave*" in your search. In other words the cmdlets assume you are appending wildcards.

Way round it is to use an LDAP filter

PS> Get-QADUser -LdapFilter '(cn=GREEN Dave)' | ft -a

Name       Type DN
----       ---- --
GREEN Dave user CN=GREEN Dave,CN=Users,DC=Manticore,DC=org

LDAP filters are also available with the Microsoft cmdlets (you can’t use name as a search with the identity parameter with the MS cmdlets)

PS> Get-ADUser -LdapFilter '(cn=GREEN Dave)'


DistinguishedName : CN=GREEN Dave,CN=Users,DC=Manticore,DC=org
Enabled           : True
GivenName         : Dave
Name              : GREEN Dave
ObjectClass       : user
ObjectGUID        : 28f0c168-d142-417f-a223-333488cdaa77
SamAccountName    : dgreen
SID               : S-1-5-21-3881460461-1879668979-35955009-6270
Surname           : GREEN
UserPrincipalName : dgreen@manticore.org

All of these alternatives will work

Get-ADUser -LdapFilter '(name=GREEN Dave)'
Get-QADUser -LdapFilter '(name=GREEN Dave)'
Get-QADUser -LdapFilter '(name=green dave)'
Get-ADUser -LdapFilter '(name=green dave)'

As an additional bonus with the Microsoft cmdlets you can write the filter using PowerShell syntax

Get-ADUser -Filter {name -eq 'green dave'}

if you want to unambiguously resolve a name in an AD search – use an LDAP filter

Leave a Reply