Active Directory: How do you solve a problem like Maria? Or John Smith?

The larger your organisation gets so do the number of users within your Active Directory and consequently the chances of employing people with the same name. Unless you have good naming policies from the start you may well end up with an untidy directory and if you are using Exchange an address book where it is hard to distinguish between people with the same Display Name.

The below script will generate you a report listing all users whose Display Name matches that of somebody else and for instance what a new Display Name would look like if you added their department field in brackets after their name – of course you could use another field entirely to distinguish them.

Note: that it is using the Quest AD cmdlets.

Add-PSSnapin -Name Quest.ActiveRoles.ADManagement -ErrorAction SilentlyContinue

$users = Get-QADUser -DontUseDefaultIncludedProperties -SizeLimit 0 -LdapFilter '(mail=*)' | Group-Object displayname | Where-Object {$_.count -gt 1}
$myCol = @()

foreach ($user in $users){

    foreach ($duplicateuser in $user.group){

    $NewDisplayName = $duplicateuser.DisplayName + " (" + $duplicateuser.Department + ")"

    $MYInfo = “” | Select-Object UserID,CurrentDisplayName,newDisplayName,Department
    $MYInfo.UserID = $duplicateuser.Name
    $MYInfo.CurrentDisplayName = $duplicateuser.DisplayName
    $MYInfo.NewDisplayName = $NewDisplayName
    $MYInfo.Department = $duplicateuser.Department
    $myCol += $MYInfo
   }
}

$myCol | Export-Csv C:\Scripts\Report.csv -NoTypeInformation

After reviewing the report and deciding to fix everyone on the list you could do it with the very similar code below:

Add-PSSnapin -Name Quest.ActiveRoles.ADManagement -ErrorAction SilentlyContinue

$users = Get-QADUser -DontUseDefaultIncludedProperties -SizeLimit 0 -LdapFilter '(mail=*)' | Group-Object displayname | Where-Object {$_.count -gt 1}

foreach ($user in $users){

    foreach ($duplicateuser in $user.group){

    $NewDisplayName = $duplicateuser.DisplayName + " (" + $duplicateuser.Department + ")"
    Set-QADUser $duplicateuser -DisplayName $NewDisplayName

   }
}

Of course you might be in a scenario where some people already have brackets after their name and you wish to create a report of those. The below one liner will give you those results.

Get-QADUser -ldapfilter '(&(displayname=*(*)*)(mail=*))' -DontUseDefaultIncludedProperties | Select-Object name,displayname,department | Export-Csv C:\Scripts\Report.csv -NoTypeInformation

UK PowerShell User Group Events in Jan and Feb 2010

The first two sessions of the UK PowerShell User Group for 2010 will be online sessions.

The first event will take place on Tuesday 26th Jan 2010 7.30pm GMT. We will be looking at the Windows 2008 R2 cmdlets and provider for Active Directory.

Sign up details are available on Richard Siddaway’s blog.

The second event will take place on Tuesday 9th Feb 2010 7.30pm GMT. We will be looking at WMI and WQL.

Details again on Richard Siddaway’s blog.

“cd AD:” = wow!

So I had a new article published over at Simple-Talk, Active Directory Management with PowerShell in Windows Server 2008 R2, looking at how you can use the new AD cmdlets and provider to manage Active Directory.

Mr Anonymous (it wasn’t me) has already posted a very nice comment which sums up part of the new management experience;

“cd AD:” = wow!

(OK I know you could do this already with the PowerShell community extensions, so it might not be wow for everybody)

Active Directory PowerShell Quick Reference Guide

I regularly recommend and often refer to this document my good friend Alan Renouf put together Quick Reference Guide for PowerCLI. It is really handy guide to pin up by your desk when you need to remind yourself of a cmdlet and maybe one of the most common usages for it.

I’ve been spending a lot of time recently checking out the PowerShell cmdlets for Active Directory in Windows Server 2008 R2 and they have also recently been made available for downlevel versions of Windows Server. I figured it would be handy to have a similar type Quick Reference Guide for these Active Directory cmdlets so I put  the AD PowerShell Quick Reference Guide together.

Hope you find it useful.

New Simple-Talk.com Article: The Active Directory Recycle Bin in Windows Server 2008 R2

Back in March this year I saw a presentation by James O’Neill and Richard Siddaway about some of the new PowerShell features in Windows Server 2008 R2, in particular Active Directory. I was fascinated by the new ‘Recycle Bin’ feature, which is enabled via PowerShell, and could instantly see that this would be a great and long overdue new feature. I am not alone in this; when Mark Minasi recently appeared on the Run As Radio podcast he said the AD Recycle Bin was the standout feature of the whole Server 2008 R2 release, not just the Active Directory part.

So I have spent some time checking it out which has resulted in my latest article on the Simple-Talk.com website being based on it, hope you find it useful.

64………is the magic number

Most Windows administrators know that the maximum length for the Netbios computer name of a machine is 15 characters since they may well have hit that limit at some point in time. Slightly less familiar might be the samAccountName attribute of an Active Directory account which must be less than 20 characters – I had experience troubleshooting this one though as recently as last year.

Last week  I needed to create hundreds of distribution lists in Active Directory (using PowerShell of course ), some with particularly long names and during the first run through in my test environment about 20% of them failed to create with an error along the lines that one of the properties I was trying to set was causing a violation.

I tracked it down to the ldap ‘name’ property, i.e. the Relative Distinguished Name, and it appeared to have a limit of 64 characters although I could not confirm this with the AD documentation I found on MSDN.

Thankfully Twitter again proved incredibly useful, I posted my question on there and within minutes had a response from AD guru and PowerShell MVP Brandon Shell (I kind of hoped he would know when I posted the tweet), thanks to him again for his assistance. He encouraged me to post to a newsgroup and not too long after also followed up with the confirmed answer, links below:

http://technet.microsoft.com/en-us/library/cc977992.aspx

http://groups.google.com/group/microsoft.public.windows.server.active_directory/browse_thread/thread/d70df4342f43b8f7

UK User Group Events in May

So May looks like a great month for some of the user groups I regularly attend.

First up we have the VMware user group in London on Thursday May 14th. This is an excellent event for VMware administrators to attend and has a great mix of vendor and community contributions. In particular this time check out Alan Renouf’s pre-show PowerShell workshop. This is before the usual start time and should be great if you are new to PowerShell or already using the VI Toolkit.

Sign up details are here.

Next up is the PowerShell user group at Microsoft in Reading on Tuesday 19th May. This time we have a real treat in store, PowerShell MVP Dmitry Sotnikov from Quest will be stopping by on his whistle stop tour of the UK to tell us about PowerGUI and the AD cmdlets, in particular recent updates. This was a great event when he presented for us last year and is a real opportunity if you use either of these products to get your questions answered or put forward any suggestions for improvements. You also get to meet a really cool guy and see if he manages to blue screen his machine again during a PowerShell demo by stopping all the services, having forgot to use the ‘whatif’ paramter! (I told him I’d get him back for making fun of me when I interviewed him for the Get-Scripting podcast)

Sign up details are here. You need to contact Richard if you wish to attend in person.

Finally on Thursday 28th May the Windows Server and Vista Squad user groups join the Active Directory user group for a joint Windows 7 event. Full content is yet to be confirmed, but that’s the first Windows 7 event I’ve heard of in this country.

Full details here.

Hope to see you at one of these events.

PowerShell Active Directory Cmdlets in Windows Server 2008 R2

A lot of the scripting I have done with PowerShell has been around manging Active Directory and up till now the majority of that work has been with the Quest AD cmdlets which are brilliant for this job. Of course not everyone is always able to install third-party cmdlets into their environment and for other reasons I have been as keen as anyone to see native cmdlets released for AD.

A month or so ago at a UK Technet event I saw James O’Neill carry out a demo of the AD cmdlets which will ship as part of Windows Server 2008 R2. They looked so good I had to check them out straight away and downloaded the beta of Server 2008 R2. I was so impressed I ended up changing what I was originally intending to present for March’s UK Powershell UserGroup so that I could share with people the good stuff that is coming. If you currently use Powershell to manage AD (or even if you are just using the curent GUI tools) you should definitely start checking these cmdlets out so are you a ready to take advantage of them as soon as possible. The best place to currently find out information about them is the Active Directory Powershell Blog – Pipelining AD One Object at a Time . There is some great info here on what is currently available and the direction it is headed.

I’ll give you a tip to help getting started with the cmdlets since some of the inline help is slightly behind the development of the cmdlets. There is a cmdlet for managing user accounts, Get-ADUser, which returns about 10 properties for a user account by default. (Note Quest regulars this is a fair bit less than what you have been used to). There is a parameter ‘-properties’ which you can use to specify particular attributes for a user account or all of them in one go. The inline help says you should use ‘-properties extended’ or’ -properties all’ to retrieve more than the default set. However, trying this out in the beta causes an error and fails to return anything for the user account.

Since the AD blog previously mentioned has a contact form I thought I would drop them a quick note about this and was pleased to receive a very prompt reponse from one of the developers that they had changed the format to be ‘-properties *’, but hadn’t updated the help in time for the beta release. So you would use something like this:

Get-ADUser username -Properties *

Easy when you know how

Finally for now, another way you can find out more information about the AD cmdlets is by listening to a recent episode of the PowerScripting podcast which featured PowerShell MVP Brandon Shell who is an expert at scripting around AD, has recently spent some time with the AD team and helped point them in the right direction for what we want to get out of these cmdlets.

Get-Scripting Guys Take Over the March UK Powershell User Group

Myself and Alan Renouf from the Get-Scripting Podcast will be presenting this month at the UK Powershell User Group on Thursday 26th March at Microsoft in Reading.

First up on the night will be Richard Siddaway talking to us about using Regular Expressions in Powershell. This was requested at a previous event and I know that Richard is really looking forward to talking about that subject

Then the Get-Scripting guys will take over:

I will be talking about some of the features that are part of Active Directory in Server 2008 R2 , currently in beta, in particular the native AD Powershell cmdlets which will ship as part of that product and what I have learned about them so far.

vExpert Alan Renouf will then tell us about the VI toolkit, which for those of you not in the know are the cmdlets shipped by VMware to enable you to manage their ESX product.

A good mixture I think of general scripting skills, third-party added value to your Powershell learning and future technologies.

If you can’t make the event in person then as usual it will be broadcast by LiveMeeting (details here). It wouldn’t be a UK Powershell event if the LiveMeeting part doesn’t go 100% to plan, but we will endeavour to ensure we avoid the usual trick of the microphone going on mute.

If you wish to attend the event in person you should contact Richard via his blog so that he can have a badge for you at the welcome desk. If the prospect of us presenting isn’t enough to attract you then as always there will be pizza at half-time

UK Active Directory User Group – 6pm GMT Wednesday 11th March

This is the second meeting of the newly formed UK Active Directory User Group:

The second [ADUG] UK Active Directory User Group meeting will be on the evening of the 11th March at Microsoft’s London (Victoria) Offices. The meeting will co-hosted with the Windows Server User Group.

The draft agenda is:

• 18:00 for 18:25 Arrival and registration
• 18:25-18:30 Welcome and introductions
• 18:30-19:45 James O’Neill takes a quick tour through the new features in Windows Server 2008 R2 (just to whet your appetite).
• 19:45-20:00 Refreshments
• 20:00-21:15 Amish Lukka (also from Microsoft) will be presenting an insight into new Active Directory features in Windows Server 2008 R2.
• 21:15-21:30 Wrap-up.
• 21:20 Adjourn to a nearby public house where Mark Parris will be happy to share his experiences of the Microsoft Certified Masters: Windows Server 2008: Directory class that he attended last November.

If you are interested in attending – please send an email to registration@adug.co.uk with your name and see you there. The confirmed times will be in the confirmation email.

For those who can’t make it in person, we will set up a Live Meeting session (which will be recorded) and details will be made available closer to the event.