This PowerShell script will cancel user creation if another user with the same full name already exists in your Active Directory domain. The script gives different error messages for active users and for users located in a deprovisioned users OU.
To use the script, you need to create a business rule triggered automatically on user creation. For more details, see Validate/Modify User Input Using a Script.
Note: The script uses cmdlets from Adaxes PowerShell module for Active Directory. To run the script, you need to install the PowerShell Module for Active Directory component of Adaxes.
Parameters:
- $errorText - Specifies the text for the error message that is displayed if an active user with the same full name is found.
- $userDeprovisionedErrorText - Specifies the text for the error message that is displayed if a deprovisioned user with the same full name is found.
- $deprovisionedOuDN - Specifies the Distinguished Name (DN) of the Organizational Unit for deprovisioned users.
Note: You can use value references (e.g. %fullname%) to insert the properties of the new user account in the error texts.
PowerShell
Import-Module Adaxes
$fullName = $Context.GetModifiedPropertyValue("cn")
$errorText = "'" + $fullName + "' already exists! Specify a different full name." # TODO: modify me
$userDeprovisionedErrorText = "'" + $fullName + "' already exists and has been deprovisioned. Enable the deprovisioned user account or specify a different full name." # TODO: modify me
$deprovisionedOuDN = "OU=Decommissioned Accounts,DC=example,DC=com"
$user = Get-AdmUser -Filter 'Name -eq $fullName'
if ($user -ne $NULL)
{
$deprovisionedOu = New-Object "Softerra.Adaxes.LDAP.DN" $deprovisionedOuDN
$userDN = New-Object "Softerra.Adaxes.LDAP.DN" $user.DistinguishedName
if ($userDN.IsDescendantOf($deprovisionedOuDN))
{
$Context.Cancel($userDeprovisionedErrorText)
return
}
else
{
$Context.Cancel($errorText)
return
}
}