Powershell Scripting Question

[coolrunnings82]

I've been dabbling with Powershell to try to get a handle on it recently. I've done some Perl scripting in the past but that was over 10 years ago so my scripting skills have waned! I've been working on a project with practical implications for a job I'm doing since that tends to help things stick better. This project is to write a Powershell script that can add users from a CSV file to Active Directory and add them to the correct security group.

I'm running into an issue where users with hyphenated last names cause the script to fail. My assumption is that this is because Powershell is interpreting the hyphen as a switch. My script is as follows:

Import-Csv .\userlist.csv | foreach-object {
        $userprinicpalname = $_.SamAccountName + "@test.MYDOMAINNAME.net";
    New-ADUser -SamAccountName $_.SamAccountName -UserPrincipalName $userprinicpalname -Name $_.name -DisplayName $_.name -GivenName $_.cn -SurName $_.sn -Title $_.Title -Department $_.Department -Path $_.path;
    Set-ADAccountPassword -identity $_.SamAccountName -NewPassword (ConvertTo-SecureString -AsPlainText $_.Password -Force) -Reset ;
    Enable-ADAccount -identity $_.SamAccountName;
    Set-ADUser -Identity $_.SamAccountName -ChangePasswordAtLogon $true;
    Add-ADGroupMember -Identity $_.GroupName -Member $_.SamAccountName
}

Any help finding a way to get Powershell to allow me to use users with hyphenated last names would be very much appreciated.

 

[coolrunnings82]

I just found a partial answer to this question that makes my original issue a moot point! Turns out that pre-2000 there was a 20 character limit to account names and these folks with the hyphenated last names would have a 23+ character username with my current scheme! Now I've gotta come up with a naming scheme that is easy to remember for the users and turns out shorter usernames. I wanted to use first initial + last name but several users have the same last name and first initial. This is already what they're using for email addresses. What would you guys do? Make an exception for the users that have the same name as another user or come up with a different guarantee-to-be-unique username?

 

[HotFix]

Every environment I have worked in has different name generation rules. I helped write AD standards at the last job I had (before my current one), and we came up with a pretty complex formula of starting with first initial and then last name, but if there was a conflict with an existing user account they would then add another letter from the first name. So John Doe would be jdoe the first attempt, then jodoe the second attempt, etc. If the name became longer than 20 characters by the time it became unique, they would start truncating characters from the right. So if there were two johndoe accounts, the next one would be johndo.

A lot of places will just use jdoe for the first user then jdoe2 for the second, and so one. I think this one is easier IMHO.

Since usernames in an AD domain have to be unique, and really should be across the forest IMHO to facilitate domain moves w/o users needing to change usernames, you should come up with a formula that works long term.

That shouldn't be too hard to concoct and then verify against AD. I.E. generate jdoe and then do a Get-ADUser "jdoe". If it returns false then create the user otherwise go back into a loop to make a change to the username according to whatever rules you have and then try it again. If you get the formula you want to use down but get stuck on the code, let me know.

 

[smithse79]

What would you guys do? Make an exception for the users that have the same name as another user or come up with a different guarantee-to-be-unique username?

This is what I do, throw an exception and have it email me saying that there was an error. It works well for me since I'm in a small environment and this only happens once in a blue moon. I then just create the user manually.