![\"Hey,](\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/q-for-powertip.jpg\" "\\"Hey,")
<\/p>\n<\/p>\n
Hey, Scripting Guy! My user accounts have commas in their CN attributes; for example, Myer, Ken<\/b>. How do I bind to those user accounts using a script? I always get the error message “An invalid dn syntax has been specified.”<\/p>\n
— GT<\/p>\n
Hey, GT. For those of you who don’t know, the CN attribute is the attribute that uniquely identifies a user account within an OU or other Active Directory container. (You can have more than one Myer, Ken<\/b> in your domain, but you can have only a single Myer, Ken<\/b> in, say, the Accounting OU.) The CN attribute is also the attribute used to display user names in Active Directory Users and Computers. When you add a user from within Active Directory Users and Computers, one of the fields you typically fill out is labeled Full Name<\/b> (and then, for some reason, when you later view the user account properties, this same field gets re-labeled Display Name<\/b>). Administrators like to specify CNs (full names) using the last name, first name syntax; that way, when they look at an OU all the users are arranged in alphabetical order by last name. (If you specified Ken Myer<\/b> as the full name, users will be arranged in alphabetical order by first<\/i> name.)<\/p>\n In other words, it’s very common for users to have CNs similar to Myer, Ken. That’s great when you’re working in Active Directory Users and Computers, but not so great when you’re trying to manage these users with ADSI scripts. For example, this script – which attempts to bind to the Myer, Ken user account – will fail with an invalid syntax error:<\/p>\n So what’s the problem here? Well, it’s not with the user’s CN; Myer, Ken<\/b> is perfectly valid. The problem is that when you write a binding string in ADSI the comma is used to separate the individual values within the ADsPath. When we write CN=Myer, Ken,OU=Accounting<\/b>, our script thinks CN=Myer<\/b> is the first value, and Ken<\/b> is the second value. That’s because of the comma between Myer and Ken. And because Ken<\/b> by itself doesn’t make any sense within an ADsPath, the script blows up.<\/p>\n So what do you about that? As it turns out, the comma is a reserved character when it comes to Active Directory paths. (Other reserved characters include the semicolon, the plus sign, the backslash, and the left and right angle brackets. For a complete list, see the Lightweight Access Directory Protocol<\/b><\/a> documentation on MSDN.) <\/p>\n![\"Spacer\"](\"https:\/\/devblogs.microsoft.com\/scripting\/wp-content\/uploads\/sites\/29\/2019\/05\/spacer.gif\")
![\"Hey,](\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/a-for-powertip.jpg\" "\\"Hey,")
<\/a><\/p>\nSet objUser = GetObject(LDAP:\/\/CN=Myer, Ken,OU=Accounting,DC=fabrikam,DC=com<\/a>)<\/pre>\n
Wscript.Echo objUser.CN<\/pre>\n