Finding Unused AD Name

This topic contains 7 replies, has 5 voices, and was last updated by  Eric Queck 3 weeks, 6 days ago.

  • Author
    Posts
  • #92077

    Eric Queck
    Participant

    Hello,

    I am currently trying to create a function that will take a CSV file and Output a username that is available to use. Right now it checks to see if their first name is already taken as a username, if it is, I want to add the first letter of their last name and test it again. These test would continue until it finds a username that is not in use. I am having issues getting it to loop correctly. The overall goal is to import a CSV user and create an AD User with the following attributes: Name, Manager, Location, Telephone, Mobile Phone, Job Title.

    function Get-MSUsername {
        
        [Cmdletbinding()]
        Param(
    
        )
        $csv = Import-Csv 'C:\Users\ericq\Desktop\New HIre Test.csv' |
            ForEach-Object {
            $i = 0
            $User = $_.First
            $Username = Get-ADUser -ErrorAction SilentlyContinue $User
    
            $LastNameLetters = $_.Last.ToCharArray()
    
            if (!$username) {
                $MSusername = $Username
      
            }
            else {
    
                $User = $User + $LastNameLetters[$i]
                $i++
    
            }#END ARRAY LOOP#>
    
            Write-Host "$MSUsername test"
        }#foreach
    
    }#Function

    Thank you!

  • #92081

    Olaf Soyk
    Participant

    Of course there is a lot of room for improvement but you could start with something like this:

    Function Find-AvailableSamAccountName {
    	[CmdletBinding()]
    	[OutputType([System.String])]
    	param(
    		[Parameter(Position=0, Mandatory=$true)]
    		[ValidateNotNullOrEmpty()]
            [alias('GN','FirstName','Name')]
    		[System.String]
    		$GivenName,
    
    		[Parameter(Position=1, Mandatory=$true)]
    		[ValidateNotNullOrEmpty()]
            [alias('LastName','FamilyName')]
    		[System.String]
    		$Surname
    	)
    	try {
    		If(Get-ADUser -Identity $GivenName){
                $GivenName = $GivenName + $Surname.substring(0,1)
                $Surname = $Surname.Substring(1)
                Find-AvailableSamAccountName -GivenName $GivenName -Surname $Surname
            }
    	}
    	catch {
    		$GivenName
    	}
    }

    It does not take the whole csv file it only takes one first name and surname pair at a time and checks the AD for the specified criteria. Try it and play a little with it. πŸ˜‰

    • #92086

      Eric Queck
      Participant

      Thanks Olaf! I totally forgot about calling the function again within the if statement. I will play around with it, but I think it will do the trick.

  • #92098

    edwin arlington
    Participant

    You can run the below scripts to find Active Directory user accounts that haven't been used

    import-module activedirectory
    $domain = β€œyour.domain.here”

    $User = get-aduser -Filter {-not ( lastlogontimestamp -like β€œ*”) -and (enabled -eq $true)} -Properties DistinguishedName, GivenName, Surname, Name, SamAccountName, userprincipalname, whenCreated |
    Select-Object DistinguishedName, GivenName, Surname, Name, SamAccountName, userprincipalname, whenCreated,`
    @{l='OU';e={([adsi]”LDAP://$($_.distinguishedname)”).psbase.parent.distinguishedname}}

    # View graphically
    # $User | Out-GridView

    # Export to CSV
    $User | Export-CSV C:\Temp\ADNeverLoggedOn16082016c.csv -NoTypeInformation

    # Count how many computers
    ($User | Measure-Object).Count

    Please refer to the following article.

    http://www.tomsitpro.com/articles/active_directory-powershell-windows_server-aduc-scripting,2-250.html

    http://activedirectorycleanup.blogspot.in/2015/03/find-and-remove-inactive-ad-accounts.html

    • #92099

      Olaf Soyk
      Participant

      Close but anyway just off the mark. πŸ˜‰ The question was to find available / not existing SamAccountNames and not accounts not used for a while. πŸ˜‰

  • #92107

    Ron
    Participant

    Something to think about depending on the volume and time until the accounts are actually created, is that you are not reserving these account names. So, if there is significant time between the generation of the list and account creation, other accounts could "steal" the ID. Also, if there are 2 or more people with the same given name in your CSV, you will return the same result for both. A better approach would be to attempt to create a placeholder, catching errors until it succeeds. Give them a special description, and you can clean up the unused ones if they are not converted to real accounts after a certain amount of time has passed.

  • #92114

    David Schmidtberger
    Participant

    Coming from an Access Management realm myself, I would highly suggest against using properties like a users name to build user id's, as they will quickly become painful to manage, as you're already seeing in trying to find unused network id's.

    you may find yourself better served to find a truly distinct identifier for your users and utilize that to build your id's.

    unfortunately, you do have to rely on others to help (usually the HR dept)

    but you will save yourself significant pain going forward, examples would be how do you handle legal name changes/marriages various other things that affect your chosen account naming standard.

    • #92120

      Eric Queck
      Participant

      David,

      I agree with you 100%. Unfortunately I do not have much control over user id creation schema. I have brought it up that we should change while we are still a smaller company and save the headache in the long run. Fingers crossed πŸ™‚

You must be logged in to reply to this topic.