Finding Unused AD Name

Hello,

I am currently trying to create a function that will take a CSV file and Output a username that is available to use. Right now it checks to see if their first name is already taken as a username, if it is, I want to add the first letter of their last name and test it again. These test would continue until it finds a username that is not in use. I am having issues getting it to loop correctly. The overall goal is to import a CSV user and create an AD User with the following attributes: Name, Manager, Location, Telephone, Mobile Phone, Job Title.

function Get-MSUsername {
    
    [Cmdletbinding()]
    Param(

    )
    $csv = Import-Csv 'C:\Users\ericq\Desktop\New HIre Test.csv' |
        ForEach-Object {
        $i = 0
        $User = $_.First
        $Username = Get-ADUser -ErrorAction SilentlyContinue $User

        $LastNameLetters = $_.Last.ToCharArray()

        if (!$username) {
            $MSusername = $Username
  
        }
        else {

            $User = $User + $LastNameLetters[$i]
            $i++

        }#END ARRAY LOOP#>

        Write-Host "$MSUsername test"
    }#foreach

}#Function

Thank you!

Of course there is a lot of room for improvement but you could start with something like this:

Function Find-AvailableSamAccountName {
[CmdletBinding()]
[OutputType([System.String])]
param(
[Parameter(Position=0, Mandatory=$true)]
[ValidateNotNullOrEmpty()]
[alias(‘GN’,‘FirstName’,‘Name’)]
[System.String]
$GivenName,

	[Parameter(Position=1, Mandatory=$true)]
	[ValidateNotNullOrEmpty()]
    [alias('LastName','FamilyName')]
	[System.String]
	$Surname
)
try {
	If(Get-ADUser -Identity $GivenName){
        $GivenName = $GivenName + $Surname.substring(0,1)
        $Surname = $Surname.Substring(1)
        Find-AvailableSamAccountName -GivenName $GivenName -Surname $Surname
    }
}
catch {
	$GivenName
}

}


It does not take the whole csv file it only takes one first name and surname pair at a time and checks the AD for the specified criteria. Try it and play a little with it. :wink:

Thanks Olaf! I totally forgot about calling the function again within the if statement. I will play around with it, but I think it will do the trick.

You can run the below scripts to find Active Directory user accounts that haven’t been used

import-module activedirectory
$domain = “your.domain.here”

$User = get-aduser -Filter {-not ( lastlogontimestamp -like “*”) -and (enabled -eq $true)} -Properties DistinguishedName, GivenName, Surname, Name, SamAccountName, userprincipalname, whenCreated |
Select-Object DistinguishedName, GivenName, Surname, Name, SamAccountName, userprincipalname, whenCreated,`
@{l=‘OU’;e={([adsi]”LDAP://$($_.distinguishedname)”).psbase.parent.distinguishedname}}

View graphically

$User | Out-GridView

Export to CSV

$User | Export-CSV C:\Temp\ADNeverLoggedOn16082016c.csv -NoTypeInformation

Count how many computers

($User | Measure-Object).Count

Please refer to the following article.

http://www.tomsitpro.com/articles/active_directory-powershell-windows_server-aduc-scripting,2-250.html

http://activedirectorycleanup.blogspot.in/2015/03/find-and-remove-inactive-ad-accounts.html

Close but anyway just off the mark. :wink: The question was to find available / not existing SamAccountNames and not accounts not used for a while. :wink:

Something to think about depending on the volume and time until the accounts are actually created, is that you are not reserving these account names. So, if there is significant time between the generation of the list and account creation, other accounts could “steal” the ID. Also, if there are 2 or more people with the same given name in your CSV, you will return the same result for both. A better approach would be to attempt to create a placeholder, catching errors until it succeeds. Give them a special description, and you can clean up the unused ones if they are not converted to real accounts after a certain amount of time has passed.

Coming from an Access Management realm myself, I would highly suggest against using properties like a users name to build user id’s, as they will quickly become painful to manage, as you’re already seeing in trying to find unused network id’s.

you may find yourself better served to find a truly distinct identifier for your users and utilize that to build your id’s.

unfortunately, you do have to rely on others to help (usually the HR dept)

but you will save yourself significant pain going forward, examples would be how do you handle legal name changes/marriages various other things that affect your chosen account naming standard.

David,

I agree with you 100%. Unfortunately I do not have much control over user id creation schema. I have brought it up that we should change while we are still a smaller company and save the headache in the long run. Fingers crossed :slight_smile: