DN value in AAD Sync AAD Connect – the NEW format

DirSync \ FIM used to use the Immutable ID value in the Azure connector space, making it somewhat straightforward to search for objects in the Azure CS using the ImmutableID (either copied from MSOL powershell or from the onprem AD ObjectGUID value converted to a Base64 string), however in AAD Sync and AAD Connect the DN format has changed so it's much more difficult to search for objects.

AAD Sync \ Connect convert the ImmutableID to UTF8Hex and then prepend a CN={ and append a } to make the value more DN-like.

Here's a script I wrote to convert either the new DN format back to the ImmutableID, or the ImmutableID to the new DN format to make searching easier.   Just call the command with one value or the other and it'll supply the other.

<#

THIS CODE AND ANY ASSOCIATED INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR

IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR

PURPOSE. THE ENTIRE RISK OF USE, INABILITY TO USE, OR RESULTS FROM THE USE OF THIS CODE REMAINS WITH THE USER.

 

#>

#Requires -Version 3

[CmdletBinding()]

param

(

[Parameter(Mandatory = $true,

HelpMessage="ImmutableID string or Azure CS DN value")]

[string]$Value

)

$done = $NULL

If ($value.EndsWith("=="))

{

$enc = [system.text.encoding]::utf8

$result = $enc.getbytes($Value)

write-host "CN={" -nonewline

$result | foreach {write-host -object ([convert]::tostring($_,16)) -NoNewline};write-host "}"

}

ElseIf ($value.ToLower().StartsWith("cn="))

{

$hexstring = $value.replace("CN={","")

$hexstring = $hexstring.replace("}","")

$array = @{}

$array = $hexstring -split "(..)" | ? {$_}

$array | FOREACH {WRITE-HOST –object ( [CHAR][BYTE]([CONVERT]::toint16($_,16))) –nonewline };write-host

}

Else

{

Write-host -fore red "You provided a value that was neither an ImmutableID (ended with ==) or a DN (started with CN=), please try again."

}

<# Example

CN={3262526E42513644383075547A3654313473724D50773D3D}

2bRnBQ6D80uTz6T14srMPw==

 

 

#>

Reader Comments

  1. No need for the array. [string]($hexstring -split "(..)" | ? {$_} | %{([CHAR][BYTE]([CONVERT]::toint16($_,16)))}) -replace ‘ ‘

  2. additionally you can remove the characters from the dn string like this. ($hexstring).substring(4,48)

  3. @Dan – I have many customers who don’t use the default ObjectGUID for ImmutableID, but instead use things like EmployeeID, sAMAccountName and so the substring 4,48 doesn’t work since the resulting Base64String is shorter (in most cases).

Comments are closed.