For a whole host of reasons we use scripts to create access controlled file shares, and to create the Active Directory groups that control access to them. Not only is it easier than doing it manually, it also ensures that the group is created in the correct place, that permissions are set correctly, and that it follows our naming convention. It helps prevent errors and improve the quality of our work, as well as allowing us to push the task right out to our tier one techs, as I described when discussing the ticket cost funnel a while back.
Most of the time, this works perfectly. From time to time, however, we run into a problem. The other day, I got a ticket where this was the case. The error we got looked as follows:
Now, the specific reference pointed to the retry command built into the script, which didn’t make much sense to our tier one technicians, nor did it do so to me. Not, that is, until I looked at the task they were trying to achieve. The script takes an input – a folder name – and applies it not only to the folder, but also to the group controlling the permissions for the folder. Looking into it, it turned out that the suggested folder name contained a comma.
The reason for the issue was that a comma is a disallowed character for MS Active Directory distinguished names. Once we removed the comma, the script ran successfully. The full list of such disallowed characters is as follows:
- Number sign (#) at the beginning of the string
- A space at the end of the string
- Comma (,)
- Double quotation (“)
- Left angle bracket (<)
- Right angle bracket (>)
- Plus sign (+)
- Semicolon (;)