Has anyone faced issue with running the AD after modify rule against users with a single quote in their DN/native identity value.?
We are making use of the IDN after modify standard template, but looks like the “Invoke-Expression $command” fails for users having a quote in their native identity.
Remove any quotes/special characters from the name itself before sending it to AD. For this you can use the String Replace transform with regex: [^a-zA-Z]. Or
If you want to continue using quotes in the name, you need to escape it by providing an additional backslash. Ex.
The fix may be needed on both ends depending on your Organization’s willingness to include/exclude special characters from DN values in old/new accounts. The transform/rule will take care of users that are modified/created recently but if you wish to fix this for all existing users in AD then you may have to use an external script or use attribute sync with in IDN.
If you do not wish to modify the user data in AD, for new users, you can do a transform on first name, middle name, last name using a regular expression like above so the prepared DN doesn’t have those characters and your code with execute. For existing user updates you will have to escape it within your AD After Modify rule so that it executes without any errors.
I believe you are using Invoke-Expression command to call some other PowerShell script and you are passing these params, one of them is DN.
You will use the command in Double quotes and arguments in Single Quotes, When your data has single quote then it will end the argument there itself causing quotes not properly closed issue.
Ya I see that your issue if fixed, still I would like to see if you can execute the logic without using one more PowerShell script. If that works then you don’t need to replace at all.