locked
Active Directory: New-ADUser character escaping RRS feed

  • Question

  • Hi,

    I am using the Active Directory Cmdlets in Windows PowerShell.
    When I try to create a user NewAdUser -Name "Hello\, world" -.... the following error occurs:

    New-ADUser : The name provided is not a properly formed account name
    At C:\BatchScript\UserAdd\AdminUserAdd.ps1:49 char:11
    + New-ADUser <<<<  -Instance $userInstance -Name "Hello\, world" -Description "Administrative User" Path $path
        + CategoryInfo          : NotSpecified: (CN=Hello\\\, wo...,DC=env-e,DC=int:String) [New-ADUser], ADException


    Is there a way to create a comma-seperated username (fullname) with the New-ADUser cmdlet since the same thing works with ADSI.

    Thank you very much for your assistence!

     

    Friday, January 28, 2011 2:27 PM

Answers

  • When I tested for my previous post, I did not use the -Instance parameter. When I do use -Instance I duplicate your experience. I cannot get it to work unless I specify $UserInstance.DisplayName without any commas. The documentation on this is poor. It seems to indicate I can specify a -sAMAccountName and no -Name when I use -Instance, but I never got this to work, even using the example in the get-Help -full. I found no way to escape the comma in the $UserInstance object. However, everything worked fine if I did not use -Instance, but instead specified everything in the New-ADUser cmdlet explicitly. If I specify a value for -Name with a comma, with no escape character (and no $UserInstance and no -Instance), it works. Perhaps this is a bug in the -Instance parameter method.

    By the way, to get New-ADUser to accept the name from $UserInstance, I had to convert $UserInstance.DisplayName to a string as follows:

    New-ADUser -Name $($UserInstance.DisplayName)

    Richard Mueller


    MVP ADSI
    • Marked as answer by Matthias Heil Wednesday, February 2, 2011 9:51 AM
    Tuesday, February 1, 2011 5:03 PM

All replies

  • This is a wild shot in the dark:

    Try escaping the "\" with a `

    NewAdUser -Name "Hello`\, world" ....

    I don't have the AD cmdlets, so I cannot test this.

    Karl


    http://unlockpowershell.wordpress.com
    -join("6B61726C6D69747363686B65406D742E6E6574"-split"(?<=\G.{2})",19|%{[char][int]"0x$_"})
    Friday, January 28, 2011 2:55 PM
  • I believe when you use the -Name parameter with AD Module cmdlets, which specifies the RDN (the Common Name) of the new user, you do not escape commas.

    Richard Mueller


    MVP ADSI
    Friday, January 28, 2011 5:16 PM
  • I already tied this, but it does not work...
    Monday, January 31, 2011 5:59 PM
  • I need to add the name like this: New-AdUser -Name "GivenName, SurName - UserID" but this does not seem to work with the escaping parameters ' and \

    Monday, January 31, 2011 6:01 PM
  • Hi,

     

    The following article might be helpful:

     

    Escaping in PowerShell

     

    Note: we provide the third party link for technical reference. Microsoft doesn’t hold this site, thus doesn’t guarantee any change on it.

     

    Best Regards

    Dale


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”
    Tuesday, February 1, 2011 6:44 AM
  • Hi,

    I use the new Active Directory cmdlets installed with Windows Server 2008 R2 and I tried all advices. I am sorry to say that no one of these work.
    The error is sill: "New-ADUser : The name provided is not a properly formed account name"

    Any suggestions?

    Best regards!

     

    Tuesday, February 1, 2011 1:05 PM
  • I think you need to show the exact string you are using.

    In your first post you say you are doing NewAdUser -Name "Hello\, world", however the error provided clearly shows that's not the exact string you are passing to New-AdUser.

    Karl


    http://unlockpowershell.wordpress.com
    -join("6B61726C6D69747363686B65406D742E6E6574"-split"(?<=\G.{2})",19|%{[char][int]"0x$_"})
    Tuesday, February 1, 2011 2:54 PM
  • $userInstance = new-object Microsoft.ActiveDirectory.Management.ADUser

    $userInstance.SamAccountName = "Admin-"+$userId
    $userInstance.UserPrincipalName = $userInstance.SamAccountName+"@test."+$country
    $userInstance.Surname =  $surname
    $userInstance.GivenName = $givenName
    $userInstance.DisplayName = $userInstance.Surname+", "+$userInstance.GivenName+" - "+$userInstance.SamAccountName

    $path = "OU=AdministrativeUsers,OU=Users,OU={0},OU=comp,DC={1},DC={2}" -f $country, $domain[0], $domain[1]

    New-ADUser -Instance $userInstance -Name $userInstance.DisplayName -Description "Administrative User" -Enabled $true -CannotChangePassword $false -ChangePasswordAtLogon $true -AccountPassword (ConvertTo-SecureString "test" -AsPlainText -force) -Path $path

    DisplayName: "Surname, GivenName - SamAccountName" (you can use this for a test)

     

     

     

    Tuesday, February 1, 2011 3:33 PM
  • I just verified in my test domain. The New-ADUser cmdlet does not require that commas be escaped in the value passed to the -Name parameter. I created a user with name "Adams, Sam" with no problems. Possible causes of an error include:

    1. A value for Name (the RDN of the user, the value of the cn attribute) that is not unique in the OU.

    2. A value of sAMAccountName that is not unique in the domain.

    3. A value for Name longer than 64 characters.

    4. A value for sAMAccountName longer than 20 characters (for a user object).

    5. A sAMAccountName with one of the following characters:

    " [ ] : ; | = + * ? < > / \ ,

    Richard Mueller


    MVP ADSI
    Tuesday, February 1, 2011 4:24 PM
  • When I tested for my previous post, I did not use the -Instance parameter. When I do use -Instance I duplicate your experience. I cannot get it to work unless I specify $UserInstance.DisplayName without any commas. The documentation on this is poor. It seems to indicate I can specify a -sAMAccountName and no -Name when I use -Instance, but I never got this to work, even using the example in the get-Help -full. I found no way to escape the comma in the $UserInstance object. However, everything worked fine if I did not use -Instance, but instead specified everything in the New-ADUser cmdlet explicitly. If I specify a value for -Name with a comma, with no escape character (and no $UserInstance and no -Instance), it works. Perhaps this is a bug in the -Instance parameter method.

    By the way, to get New-ADUser to accept the name from $UserInstance, I had to convert $UserInstance.DisplayName to a string as follows:

    New-ADUser -Name $($UserInstance.DisplayName)

    Richard Mueller


    MVP ADSI
    • Marked as answer by Matthias Heil Wednesday, February 2, 2011 9:51 AM
    Tuesday, February 1, 2011 5:03 PM
  • Hi Richard,

    yes that's also my experience. Now I am using this "workaround" without the -Instance Parameter.

    Thank you,
    Matthias

    Wednesday, February 2, 2011 9:53 AM
  • I see this discussion is really old but i am still having the same issue

    Windows 2003 domain level

    windows 2008 DCs

    trying to create a new user where the Display name and Name is "Lastname, First", I tried the options in the above discussion but cannot get over the improper format error

    $userInstance = new-object Microsoft.ActiveDirectory.Management.ADUser
    $userId = "Trial1User"
    $country ="CA"
    $surname = "User"
    $givenName = "Trial1"
    $path = "OU=Users,OU=OTW,DC=itlab,dc=Local"
    $userInstance.SamAccountName = $userId
    $userInstance.UserPrincipalName = $userInstance.SamAccountName+"@test."+$country
    $userInstance.Surname =  $surname
    $userInstance.GivenName = $givenName
    $userInstance.DisplayName = $userInstance.Surname+", "+$userInstance.GivenName

    New-ADUser $userInstance -Name $($UserInstance.DisplayName) -Description "Administrative User" -Enabled $true -CannotChangePassword $false -ChangePasswordAtLogon $true -AccountPassword (ConvertTo-SecureString "test" -AsPlainText -force) -Path $path

    I Get

    New-ADUser : The name provided is not a properly formed account name
    At line:1 char:11

    Tuesday, January 8, 2013 8:07 PM
  • Based on my testing in 2011, I would say don't use the -Instance parameter, or your $userInstance reference. I would suggest:

    New-ADUser -Name "$surname, $givenName" -Description "Administrative User" -Enabled $true -CannotChangePassword $false -ChangePasswordAtLogon $true -AccountPassword (ConvertTo-SecureString "test" -AsPlainText -force) -Path $path

    Of course, you should also specify -Surname, -GivenName, etc.


    Richard Mueller - MVP Directory Services


    Wednesday, January 9, 2013 1:14 AM
  • Thanks for the quick response,

    I tried the below and still get the same error in couple of different environments

    [PS] C:\temp\sanil>$givenname= "Tester"
    [PS] C:\temp\sanil>$surname= "Case2"
    [PS] C:\temp\sanil>New-ADUser -Name "$surname, $givenName" -givenname $givename -surname $surname -Description "Administ
    rative User" -Enabled $true -CannotChangePassword $false -ChangePasswordAtLogon $true -AccountPassword (ConvertTo-Secure
    String "test#123" -AsPlainText -force)
    New-ADUser : The name provided is not a properly formed account name
    At line:1 char:11
    + New-ADUser <<<<  -Name "$surname, $givenName" -givenname $givename -surname $surname -Description "Administrative Use
    r" -Enabled $true -CannotChangePassword $false -ChangePasswordAtLogon $true -AccountPassword (ConvertTo-SecureString "t
    est#123" -AsPlainText -force)
        + CategoryInfo          : NotSpecified: (CN=Case2\, Test...ITLAB,DC=LOCAL:String) [New-ADUser], ADException
        + FullyQualifiedErrorId : The name provided is not a properly formed account name,Microsoft.ActiveDirectory.Manage
       ment.Commands.NewADUser

    Wednesday, January 9, 2013 3:29 PM
  • i am completely confused, tried the same thing in this manner and it works but even trying lastname, first from simple command line does not work

    This worked
    [PS] C:\temp\sanil>$NoMB_lName ="Trial"
    [PS] C:\temp\sanil>$NoMB_fName = "case2"
    [PS] C:\temp\sanil>$NoMB_sam ="tcase2"
    [PS] C:\temp\sanil>$NoMB_Description ="trialCase2"
    [PS] C:\temp\sanil>$NoMB_Badge = "12345"
    [PS] C:\temp\sanil>$NoMB_DName = "$NoMB_fName, $NoMB_lName"
    [PS] C:\temp\sanil>$NoMB_Site = "OU=Users,OU=OTW,DC=itlab,dc=Local"
    [PS] C:\temp\sanil>$pwd = "123@rest"
    [PS] C:\temp\sanil>New-ADUser -Name "$NoMB_lName, $NoMB_fName" -SamAccountName $NoMB_sam -Description $NoMB_Description
    -EmployeeID $NoMB_Badge -GivenName $NoMB_fName -Surname $NoMB_lName -DisplayName $NoMB_DName -Path $($NoMB_Site) -Accoun
    tPassword (ConvertTo-SecureString -AsPlainText $pwd -Force) -enable $true -passthru


    DistinguishedName : CN=Trial\, case2,OU=Users,OU=OTW,DC=itlab,DC=Local
    Enabled           : True
    GivenName         : case2
    Name              : Trial, case2
    ObjectClass       : user
    ObjectGUID        : 29d0b998-2fef-44dd-a1f4-7ae71b1997be
    SamAccountName    : tcase2
    SID               : S-1-5-21-1787869742-162364275-1172072272-2768
    Surname           : Trial
    UserPrincipalName :

    but, this does not work

    [PS] C:\temp\sanil>new-aduser

    cmdlet New-ADUser at command pipeline position 1
    Supply values for the following parameters:
    Name: talpade, sanil
    New-ADUser : The name provided is not a properly formed account name
    At line:1 char:11
    + new-aduser <<<<
        + CategoryInfo          : NotSpecified: (CN=talpade\, sa...ITLAB,DC=LOCAL:String) [New-ADUser], ADException
        + FullyQualifiedErrorId : The name provided is not a properly formed account name,Microsoft.ActiveDirectory.Manage
       ment.Commands.NewADUser


    • Edited by SanTal1900 Wednesday, January 9, 2013 4:56 PM
    Wednesday, January 9, 2013 4:53 PM
  • I have been testing again, and I also have gotten confused. I started with a script using the commands you posted. I expected it to work because I previously found that the comma was handled properly by the -Name parameter, without escaping. I tried the following, but it failed with the "not a properly formed account name" error message:

    $givenname= "Tester"
    $surname= "Case2"
    New-ADUser -Name "$surname, $givenName" -givenname $givenname -surname $surname -Description "Test Admin User" -Enabled $true -CannotChangePassword $false -ChangePasswordAtLogon $true -AccountPassword (ConvertTo-SecureString "test#123" -AsPlainText -force)
    

    After many trials, I found that the above works fine if you add the parameter to specify sAMAccountName. This worked fine:

    $givenname= "Tester"
    $surname= "Case2"
    $NTName = "TCase2"
    New-ADUser -sAMAccountName $NTName -Name "$surname, $givenName" -givenname $givenname -surname $surname -Description "Test Admin User" -Enabled $true -CannotChangePassword $false -ChangePasswordAtLogon $true -AccountPassword (ConvertTo-SecureString "test#123" -AsPlainText -force)
    

    So, my guess is that the error message is misleading us. I need to test more, but I suspect when you don't specify sAMAccountName, the cmdlet uses the value of "Name" for sAMAccountName, and commas are not permitted in sAMAccountName values.

    Actually, I just checked the help, and it states that -sAMAccountName is required. I would say this is a bug in the cmdlet. If it prompts for Name, it should also prompt for sAMAccountName.


    Richard Mueller - MVP Directory Services

    • Proposed as answer by Teba2015 Wednesday, September 23, 2015 9:07 AM
    Wednesday, January 9, 2013 5:56 PM
  • test agrees with the result, samaccoutnname made the difference.
    thanks again for testing it.

    for other's reference found some escape character links
    http://social.technet.microsoft.com/wiki/contents/articles/5312.active-directory-characters-to-escape.aspx
    one important point mentioned is about new cmdlets, as below

    "The PowerShell AD Module cmdlets to create new objects, like New-ADUser, New-ADComputer, New-ADGroup, New-ADObject, and New-ADOrganizationalUnit, will automatically escape any characters required in Active Directory. However, if you use any of the Get-AD* cmdlets to retrieve information from Active Directory, and you specify a distinguished name, all characters must be properly escaped. "

    Wednesday, January 9, 2013 9:18 PM
  • I know this is an old thread but I'm only replying because it's the top Google result for "The name provided is not a properly formed account name,Microsoft.ActiveDirectory.Manage"

    You can also get this error if the samAccountName is longer than 20 characters.

    Thursday, May 16, 2013 2:55 PM
  • I know this is an old thread but I'm only replying because it's the top Google result for "The name provided is not a properly formed account name,Microsoft.ActiveDirectory.Manage"

    You can also get this error if the samAccountName is longer than 20 characters.

    You can also get this error if the samAccountName is longer than 20 characters.

    No kidding, did you read somewhere about that? Maybe in this post?

    Tuesday, August 13, 2013 9:06 PM