Introduction

It should be rare to find objects in Active Directory with names that have a leading space. They cannot be created in ADUC, but can be created in a script. Such objects are difficult to work with. In fact, it is hard to even find them. The issue was raised in the following TechNet Windows Server forum thread Unable to add AD user as a manager, told the object cannot be found.

The leading space can be in the RDN (the "Relative Distinguished Name") of the object, in the sAMAccountName (the "pre-Windows 2000" name), or both. If you suspect you have such objects, this Wiki article can help.

↑ Return to top


Possible Reasons to Have Objects with Leading Spaces in the Name

Objects with leading spaces in the name may have been created for the following reasons:

  • To take advantage of the fact that such objects are difficult to find.
  • To obscure the name when the object is seen in ADUC, since the leading space is easy to miss.
  • By mistake.
  • To make a user appear first alphabetically in ADUC.

However, there are better ways to hide objects in Active Directory. See the links below in the "Other Resources" and "See Also" sections for details.

One complication with leading spaces in distinguished names is that they must be escaped in scripts and code. Leading spaces must be escaped in any component of distinguished names using the backslash ("\") escape character. Characters that must be escaped are documented in Active Directory: Characters to Escape.

↑ Return to top


In Active Directory Users and Computers

The Active Directory Users and Computers (ADUC) dialog strips off leading spaces when searching or filtering. This means you have to know something else about the object name to find it, unless you use an LDAP syntax filter. Also, objects with a leading space in the Name cannot be created in ADUC (or even in ADSI Edit). They can only be created in a script or in code.

↑ Return to top


Filtering in ADUC

For example, below we select "Filter Options" on the "View" menu of ADUC in an attempt to find a user whose Name starts with a leading space.

Next, we click on "Create custom" and then the "Customize..." button.

Then we click on the "Advanced" tab.

And finally, we enter an LDAP filter and click "OK". In this case, we filter on all users where the sAMAccountName starts with a space character. LDAP recognizes the two character ASCII hexadecimal equivalent of the space character, which is "20", but it must be escaped with the backslash escape character. No other dialog in ADUC recognizes this. The "*" character is the wildcard character. So our LDAP syntax filter is "(sAMAccountName=\20*)". A similar LDAP syntax filter can be used to find users where the Name (the value of the cn or Name attribute) begins with a space. Then the LDAP syntax filter would be "(Name=\20*)".

After you click the "OK" button, only the objects that match the LDAP syntax filter appear in the ADUC. But you still must look in each OU and container to find them.

↑ Return to top


Selecting a Manager for a User

Below we view the properties of a user in ADUC. We have selected the "Organization" tab and will click the "Change..." button to select the Manager for this user.

       

Now we enter " fred" (notice the leading space) to find users with that string in the name and click "Check Names". There is no option to enter an LDAP syntax filter, and this dialog does not recognize "\20". Notice also that we must know something about the user beside the fact that the RDN begins with a space. If we just enter the space character, it gets stripped off and nothing results.

The result when we click "Check Names" is all users where the RDN either starts with "fred" (without the leading space), or where the string " fred" (with the leading space) appears anywhere in the RDN. The object we want is found, but so are several others. The results are exactly the same if we query with the string "fred", with no leading space.

Note that users that have the string "fred" do not show up unless the RDN begins with this string. For example, a user named "Alfred Jones" (which exists in the domain) is not included in the list. However, the results are not consistent. In other cases, names starting with a specified string can be found, but similar names with a leading space never show up, no matter what string is used.

Next, we enter the string " amy" to find a different user, the one with RDN " Amy Tuttle". Again, we must know something about the user name other than the leading space.

Below we see that no objects were found, even though " Amy Tuttle" exists in the domain.

The explanation is unknown. The results are the same if we try the string "amy" (without the leading space). This is difficult to explain.

Below we even try the "Advanced" tab and search for any users with Names that start with " amy".

Again, there are no results. The user " Amy Tuttle" cannot be found in this dialog. This behavior is not consistent, so the problem is not understood.

If you want to search your domain for managers, and document the relationships between managers and direct reports, you can use the following PowerShell script in the TechNet Gallery: Document Active Directory Organization. This script will find all managers and direct reports, even if their names have a leading space, and show the hierarchical structure of your organization.

↑ Return to top


Adding Members to a Group

The situation is exactly the same when you search for objects to make them members of a group. Once you click "Add..." on the "Members" tab of a group to add a new member, the dialogs are identical to those above. Finding objects with leading spaces in the name to add to a group is equally difficult.

↑ Return to top


Example LDAP and PowerShell Syntax Filters

You can use LDAP filters with VBScript, the dsquery command line tool, or PowerShell scripts to find objects in Active Directory. PowerShell syntax filters can be used in PowerShell with the AD module cmdlets, such as Get-ADUser or Get-ADObject. The table below documents the result with several example filters.

LDAP Filter PowerShell Filter Result
"(Name= *)" {Name -Like {Name -Like " *"} All objects
"(Name=* fred*)" {Name -Like "* fred*"} All objects with " fred" anywhere in the Name
"(Name= fred*)" {Name -Like " fred*"} All objects starting with "fred", but not with leading space
"(Name=*fred*)" {Name -Like "*fred*"} All objects with "fred" anywhere in the Name
"(Name=\ fred*)" {Name -Like "\ fred*"} Nothing
"(distinguishedName=\ *)" {distinguishedName -Like "\ *"} Nothing
"(Name=\20*)" {Name -Like "\20*"} Only objects with leading space in Name
"(sAMAccountName= *)" {sAMAccountName -Like " *"} All objects with sAMAccountName
"(sAMAccountName<=!)" {sAMAccountName -le "!"} All objects with sAMAccountName starting with "!" or less
"(sAMAccountName=\20*)" {sAMAccountName -Like "\20*"} Only objects with leading space in sAMAccountName

In the second to last row of the above table, less than or equal to "!" means lexicographically less than or equal to "!". This means that the ASCII hexadecimal representation of the leading character is less than or equal to 21. This includes the "!" character, the space character, and several non-keyboard characters.

When the "Result" column in the above table is red the filter returns nothing, or all objects, or does not return objects with leading spaces in the name. No error is raised. If the "Result" column is orange, objects with leading spaces in the name are retrieved, but so are other objects (sometimes a great many others). Only the filters where the "Result" column is green will retrieve objects with leading spaces in the name, and no others. Obviously, the trick is to specify the two character ASCII hexadecimal representation of the space character, escaped with the backslash character, followed by the wildcard character. This works whether you use an LDAP or a PowerShell filter.

Example Scripts

Below are two examples using the dsquery command line tool and LDAP syntax filters. The first command finds all objects where the sAMAccountName has a leading space. The second finds all objects where the RDN has a leading space.

dsquery * -Filter "(sAMAccountName=\20*)"
dsquery * -Filter "(Name=\20*)"

If you want to restrict the results to the user, group, or any other class of objects, you must AND the appropriate clauses. Below are four PowerShell commands using the Get-ADUser cmdlet. The first two find users where the sAMAccountName has a leading space, first using an LDAP syntax filter, then a PowerShell syntax filter. The next two statements find users where the RDN has a leading space.

Get-ADUser -LDAPFilter "(sAMAccountName=\20*)"
Get-ADUser -Filter {sAMAccountName -Like "\20*"}

Get-ADUser -LDAPFilter "(Name=\20*)" Get-ADUser -Filter {Name -Like "\20*"}

Finally, below is a VBScript program using an LDAP syntax filter to find users where the sAMAccountName has a leading space. The filter for finding users where the RDN has a leading space is commented out.

Option Explicit

Dim adoCommand, adoConnection, strBase, strFilter, strAttributes Dim objRootDSE, strDNSDomain, strQuery, adoRecordset, strDN
' Setup ADO objects. Set adoCommand = CreateObject("ADODB.Command") Set adoConnection = CreateObject("ADODB.Connection") adoConnection.Provider = "ADsDSOObject" adoConnection.Open "Active Directory Provider" Set adoCommand.ActiveConnection = adoConnection
' Search entire Active Directory domain. Set objRootDSE = GetObject("LDAP://RootDSE") strDNSDomain = objRootDSE.Get("defaultNamingContext") strBase = "<LDAP://" & strDNSDomain & ">"
' Filter on user objects where sAMAccountName has a leading space. strFilter = "(&(objectCategory=person)(objectClass=user)(sAMAccountName=\20*))"
' Filter on user objects where Name has a leading space. ' strFilter = "(&(objectCategory=person)(objectClass=user)(Name=\20*))"
' Comma delimited list of attribute values to retrieve. strAttributes = "distinguishedName"
' Construct the LDAP syntax query. strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree" adoCommand.CommandText = strQuery adoCommand.Properties("Page Size") = 200 adoCommand.Properties("Timeout") = 30 adoCommand.Properties("Cache Results") = False
' Run the query. Set adoRecordset = adoCommand.Execute
' Enumerate the resulting recordset. Do Until adoRecordset.EOF     ' Retrieve values and display.     strDN = adoRecordset.Fields("distinguishedName").Value     Wscript.Echo strDN     ' Move to the next record in the recordset.     adoRecordset.MoveNext Loop
' Clean up. adoRecordset.Close adoConnection.Close

↑ Return to top


See Also

↑ Return to Top


Other Resources

↑ Return to top