July 9, 2012 at 12:52 pm
My network admins, in their wisdom, created admin accounts for us developers for those time when we simply must have some privileges.
As you can see, my CN appears to be based on my DisplayName (Admin-LastName, Paul) rather than a concatenation of my FirstName and sn (Paul and Admin-LastName, respectively).
CN=Admin-Lastame\, Paul,OU=Users,OU=Data_Admins,OU=Admins,DC=....
My problem is that I need to split the CN based on comma, and don't know how to get -split to ignore the escaped comma after Admin-LastName.
I was not able to find, among the myriad examples in the split docs on Technet, this kind of case.
How do I do this? Do I need to replace the escape?
For that matter, is there a better way of getting to the endpoint, which is, I need a list of all AD groups and their members in a FirstName.LastName format, not using QAD cmdlets?
TIA.
July 9, 2012 at 2:03 pm
I do not do much AD work these days, let alone from PowerShell, but I do know of the AD cmdlets MS published. http://technet.microsoft.com/en-us/library/ee617195
Here is what I got (using replacement) with some basic PS in case you proceed down the current path. I could not find a slick split option or similar built into PS:
$str = 'CN=Admin-Lastame\, Paul,OU=Users,OU=Data_Admins,OU=Admins'
#$str
[string[]]$a = $str.Replace('\,', '~~~').Split(',')
#$a
#$a.Count
for ($i=0; $i -lt $a.Count; $i++)
{
$a[$i] = $a[$i].Replace('~~~',',')
}
$a
There are no special teachers of virtue, because virtue is taught by the whole community.
--Plato
July 9, 2012 at 2:43 pm
Here's a regex that might work for you.
$cn = 'CN=Admin-Lastame\, Paul,OU=Users,OU=Data_Admins,OU=Admins,DC=....'
$pat = 'CN=\w+\-(\w+)\\,\s+(\w+),.*$'
[regex]::Replace($cn, $pat, '$2 $1')
It returns Paul Lastame
Edit: just reread your op. rewritten for just firstname lastname
Edit2: I knew that original regex wouldn't handle two word last names like St. James or hyphenated names which was why I said "might work". Anyway while playing golf with the regex I modified it to handle hyphens and two word last names. If you don't have those kind of names the original works. Replace with the pattern below if you do.
$pat = 'CN=Admin-(\w.+)\\, (\w+),.*$'
July 9, 2012 at 5:17 pm
Never mind...
--Jeff Moden
Change is inevitable... Change for the better is not.
July 10, 2012 at 8:36 am
With that thought in mind, let me ask... do you really need to do this in PowerShell or is the ultimate target of your efforts to have something stored in T-SQL???
--Jeff Moden
Change is inevitable... Change for the better is not.
July 10, 2012 at 9:39 am
We grant SQL Server / DB access to Windows groups.
We determine which version of the app (read "Server"), which projects (read "databases") users can see, as well as what functionality is enabled, based on group membership.
Ultimate goal is to have a table containing AD Group Name and samaccountname.
Currently doing this in PS because the custom system stored proc I'd been using in SQL2K is not allowed in SQL 2K8.
The table needs to be refreshed every 15 minutes or so, as users are added/shuffled around.
We have ~800 groups.
Takes 19 seconds in PS + 3 to import to SQL Server, 50 seconds in T-SQL using xp_logininfo and xp_enumgroups and a cursor.
Also, xp_logininfo only returns results for groups granted server access.
July 10, 2012 at 9:47 am
schleep (7/10/2012)
@opc.three: thanks. I can't wait for the time when we move on from XP :-), and I can begin using those AD cmdlets.
Bummer. I am in the same boat at the current shop on the desktop (I wanted to give them a quick spin). Seeing your setup however I am surprised you do not have an app server you could use for this. Granted, you would need one to develop on before releasing it into the wild, but sometimes with these types of system admin tasks that's a good thing.
There are no special teachers of virtue, because virtue is taught by the whole community.
--Plato
July 10, 2012 at 9:54 am
The edict came from on high a couple of years ago: NO NEW SERVERS! (except when a prod box dies).
July 10, 2012 at 10:00 am
Booo 😛
You could explore the possibility of using the command line tool dsquery which is available on XP. I have used it before, but never for automation. However with PS it may be a cinch to use stdout coming from it.
There are no special teachers of virtue, because virtue is taught by the whole community.
--Plato
July 10, 2012 at 10:06 am
dsquery doesn't appear to be supported on XP.
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2008, Windows Server 2008 R2
I get ...not recognized as an internal or external prog...
July 10, 2012 at 10:12 am
I have it installed on my XP workstation and I think it came with the Admin Tools Pack. I installed it so I could easily look up AD group members from my XP workstation as it also installs the handy AD MMC snap-in 😉
Look here for section Finding Windows Server 2003 Administration Tools Packs.
There are no special teachers of virtue, because virtue is taught by the whole community.
--Plato
July 10, 2012 at 12:17 pm
Found it.
It works, although it doesn't appear to be faster than my current solution.
I'll keep at it...
P
July 10, 2012 at 6:15 pm
See if something like this is interesting to you. I get something like this, which should be easily parseable by PS:
C:\>dsquery group domainroot -limit 2 | dsget group -members | dsget user -fn -ln -email -c
Dsquery has reached the specified limit on number of results to display; use a different value for the -limit option to display more results
. fn ln email
Jane Doe jane.doe@domain.com
John Doe john.doe@domain.com
LastNameButNoFirstName LastNameButNoFirstName@domain.com
dsget succeeded
I limited the initial query to 2 so I would not bring by my entire directory.
You can also add -L to the last dsget which may result in output that is easier to parse:
C:\>dsquery group domainroot -limit 2 | dsget group -members | dsget user -fn -ln -email -c -L
Dsquery has reached the specified limit on number of results to display; use a different value for the -limit option to display more results
.fn: Jane
ln: Doe
email: jane.doe@domain.com
fn: John
ln: Doe
email: jane.doe@domain.com
fn:
ln: LastNameButNoFirstName
email: LastNameButNoFirstName@domain.com
There are no special teachers of virtue, because virtue is taught by the whole community.
--Plato
Viewing 14 posts - 1 through 13 (of 13 total)
You must be logged in to reply to this topic. Login to reply