AAD Groups with samAccountName reserved characters in the name don't sync #1
Description
Logged Error
[12/31/2022 03:53:26] [Info] <GROUP> Creating AADx509Group 'Bob, Tracy, ZoopWaffel_AADx509Sync' for syncing 'Bob, Tracy, ZoopWaffel_xxxxxxxxxxxx'
[12/31/2022 03:53:26] [Error] The name provided is not a properly formed account name
It appears that the group name needs to be correctly sanitised for the samAccountName in the call to New-ADGroup, for example compare these two sample executions:
PS C:\Scripts> New-ADGroup -Path $GroupOU -Name "A, B, C" -Description "Group Name with Commas" -GroupCategory Security -GroupScope Global
New-ADGroup : The name provided is not a properly formed account name
At line:1 char:1
+ New-ADGroup -Path $GroupOU -Name "A, B, C" -Description "Group Name ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (CN=A\, B\, C,O...DC=example,DC=com:String) [New-ADGroup], ADException
+ FullyQualifiedErrorId : ActiveDirectoryServer:1315,Microsoft.ActiveDirectory.Management.Commands.NewADGroup
PS C:\Scripts> New-ADGroup -Path $GroupOU -Name "A, B, C" -Description "Group Name with Commas" -GroupCategory Security -GroupScope Global -SamAccountName "A B C"
The failure to create the group also exits the script prematurely.
Suggested Fixes
Insert at 292 to sanitise the group name for the samAccountName:
# All printable characters are allowed in sAMAccountName values except the following:
# " [ ] : ; | = + * ? < > / \ ,
$AADx509GrpSam = $AADx509GrpName.Replace("`"", "").Replace("[", "").Replace("]", "").Replace(":", "").Replace(";", "")
$AADx509GrpSam = $AADx509GrpSam.Replace("|", "").Replace("=", "").Replace("+", "").Replace("*", "").Replace("?", "")
$AADx509GrpSam = $AADx509GrpSam.Replace("<", "").Replace(">", "").Replace("/", "").Replace("\", "").Replace(",", "")
Note that this still does not account for Unicode or other non-ASCII printable - see AD Requirements - samAccountName for the more correct attribute rules.
Update line 296 to specify the sanitised samAccountName:
New-ADGroup -Path $GroupOU -Name $AADx509GrpName -Description $group.Description -GroupCategory Security -GroupScope Global -SamAccountName $AADx509GrpSam
Further fixes are also required when locating the group to update membership.
Update what is now line 307 to specify the samAccountName in Get-ADGroup (ref Get-ADGroup - Description):
$SyncGroup = Get-ADGroup -Identity $AADx509GrpSam