Group Membership Membername is only last name

Question

Group Membership Membername is only last name

domischlegel opened this issue 6 years ago · 11 comments

In the section of group membership changes, the "Member Name" only shows the last name and a \ (most likely because it wasnt escaped properly?)

Answer 1 · 2019-01-11T09:23:15.000Z

That's possible. I don't really expect "special chars" in Member Name field. If it was Who column it's a bit different because WHO column is actually 2 fields merged together where I add \ explicitly between DOMAIN\User the trick is it's sometimes not written correctly to Event Log.

Can you do:

get-events -RecordID <recordid> -LogName 'Security' -Machine 'AD...'

And check all the fields and potentially let me know the results of it?

Answer 2 · 2019-01-11T10:08:42.000Z

Hey

Thanks for your reply.

Its the field "Account Name" in the "Member" section. That field contains the DN of the user and seems to be like this: CN=lastname\, firstname, OU=OU1,OU=OU2,DC=domain,DC=com.

In the HTML Report it only shows "lastname\".

Regards

Answer 3 · 2019-01-11T10:27:47.000Z

So you're saying you have members in AD that have , in a name? That's first time I see this :-)

Answer 4 · 2019-01-11T16:44:17.000Z

Good point but yes, the full name gets autogenerated and theres a , in between (sorry I forgot about that...)

Answer 5 · 2019-01-11T19:15:06.000Z

Update-Module PSEventViewer

Let me know if that fixes your issue

Answer 6 · 2019-01-15T06:45:51.000Z

Hey, sorry to bring the bad (and late) news, but this hasnt fixed it for me.

I successfully tested it with this regex: ^CN=|\\,|,(OU|DC|CN).*$

Regards

Answer 7 · 2019-01-15T08:53:46.000Z

just so we're on the same page your name is exactly with \ and , in the name?

Answer 8 · 2019-01-15T09:00:01.000Z

in AD its like this:
First Name: firstname
Last name: lastname
Displayname: lastname, firstname

and then the DN (which seems to be used in the event viewer but also appears like this in the AD attributes):
CN=lastname, firstname, OU=OU1,OU=OU2,DC=domain,DC=com

Answer 9 · 2019-01-27T14:31:51.000Z

Right, this indeed works but not sure if it's the proper way.


$MemberName = @(
    'CN=Weird\, Name\, with   ,OU=Users-Offboarded,OU=Production,DC=ad,DC=evotec,DC=xyz'
    'CN=Weird Name\, with $\,.,OU=Users-Offboarded,OU=Production,DC=ad,DC=evotec,DC=xyz'
    'CN=Weird Name,OU=Users-Offboarded,OU=Production,DC=ad,DC=evotec,DC=xyz'
    'CN=Weird Name,DC=ad,DC=evotec,DC=xyz'
    'CN=Weird Name,DC=ad,DC=evotec,DC=xyz'
    'CN=Mailbox Database 1527735546,CN=Databases,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=Evotec,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=ad,DC=evotec,DC=xyz'
    'CN=Test My\, User,OU=Users-Offboarded,OU=Production,DC=ad,DC=evotec,DC=xyz'
)
Write-Color '- MyVersion' -Color Green
foreach ($Member in $MemberName) {

    $Member -replace '^CN=|,(OU|DC|CN).*$'
}
Write-Color '- NewVersion' -Color Red
foreach ($Member in $MemberName) {
  
    $Member -replace 'CN=|\\,|,(OU|DC|CN).*$'
}

Output:

- MyVersion
Weird\, Name\, with
Weird Name\, with $\,.
Weird Name
Weird Name
Weird Name
Mailbox Database 1527735546
Test My\, User
- NewVersion
Weird Name with
Weird Name with $.
Weird Name
Weird Name
Weird Name
Mailbox Database 1527735546
Test My User

Your approach actually gets rid of any characters giving clean output but it also removes integral part of the name, which in your case is comma.

Answer 10 · 2019-01-27T14:33:59.000Z

I think it should be:

$MemberName = @(
    'CN=Weird\, Name\, with   ,OU=Users-Offboarded,OU=Production,DC=ad,DC=evotec,DC=xyz'
    'CN=Weird Name\, with $\,.,OU=Users-Offboarded,OU=Production,DC=ad,DC=evotec,DC=xyz'
    'CN=Weird Name,OU=Users-Offboarded,OU=Production,DC=ad,DC=evotec,DC=xyz'
    'CN=Weird Name,DC=ad,DC=evotec,DC=xyz'
    'CN=Weird Name,DC=ad,DC=evotec,DC=xyz'
    'CN=Mailbox Database 1527735546,CN=Databases,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=Evotec,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=ad,DC=evotec,DC=xyz'
    'CN=Test My\, User,OU=Users-Offboarded,OU=Production,DC=ad,DC=evotec,DC=xyz'
)

Write-Color '- Members' -Color Yellow
foreach ($Member in $MemberName) {

    $Member
}

Write-Color '- MyVersion' -Color Green
foreach ($Member in $MemberName) {

    $Member -replace '^CN=|,(OU|DC|CN).*$'
}
Write-Color '- NewVersion' -Color Red
foreach ($Member in $MemberName) {
  
    $Member -replace 'CN=|\\,|,(OU|DC|CN).*$'
}

Write-Color '- Final version?' -Color Blue
foreach ($Member in $MemberName) {
  
    $Member -replace 'CN=|\\|,(OU|DC|CN).*$'
}

The last one leaves your comma in place just removing extra characters.

Answer 11 · 2019-01-27T18:01:34.000Z

Install-Module PSEventViewer -Force

Published new version. Should fix it.