Notice: The following post was originally published on another website. As the post is no longer accessible, it is being republished here on tommymaynard.com. The post was originally published on May 31, 2019.
There’s this thing that might happen. Even as it’s unlikely, I’ve added a protection I’ll probably never even need. I suppose I’d rather be complete and as confident in my code as possible. I don’t want to be the guy, who wrote the code that didn’t protect against the thing. Instead, I’d rather be the guy that wrote the code, that did the thing, even when the protection, was never thought to be needed. It’s like the floor mat at Sears, in front of the escalator, that I saw as a kid that I’ve never forgotten: “Safety First.” It was red, with white writing. There’s plenty of production code out there we’ve written that we’d write differently now, knowing what we’ve already learned.
Just because the code I was working with won’t (likely) ever fill up an Active Directory Group Notes field, doesn’t mean I shouldn’t be sure it never attempts to go over that 1,024 character limit allowed by the field. Knowing that goal, reasonable or otherwise, I set out to use the Notes field and prevent ever exceeding that character limit.
Let’s say, there’s a set of groups in Active Directory — department groups. While we’ll keep their names generic: DEPT 00001, DEPT 00002, etc., we’ll put their true department name in their AD object’s Notes field. In case you don’t know, the attribute name for this field is Info on the back end, and Notes in the UI.
Now, let’s also say that department names change over time. Therefore, it’s bound to happen that DEPT 00001, for example, will need its newest department name added to the Info property. Now, we want to keep all the previous names in the Info
property and add the current one to the others. Between each name, we’ll include a pipe character: “|”. This delimiter will assist in helping us determine where one name ends and the next begins. Do consider that department names can change multiple times. If it happens frequently enough, you can see how we might hit our 1,024 character limit in this property. Therefore, it’s a good idea to add in this protection, in order to avoid throwing an error someday.
I’ll include the code I used below, and then we’ll discuss what’s happening further down.
$GroupInfo = $null $GroupInfo = (Get-ADGroup -Identity $GroupExist.Name -Property Info).Info If ($GroupInfo) { # Edit Notes/Info field (previously populated). $GroupInfoSplit = $GroupInfo -split '\|' If (-Not($DeptName -in $GroupInfoSplit)) { $GroupInfo += "|$DeptName" If ($GroupInfo.Length -gt 1024) { # Remove previous groups if over 1024 characters. Do { $GroupInfo = ($GroupInfo -split '\|',2)[1] } Until ($GroupInfo.Length -le 1024) # End Do-Until. } # End If. Set-ADGroup -Identity $GroupExist -Replace @{Info=$GroupInfo} } # End If. } Else { # Add to Notes/Info for the first time. If ($DeptName.Length -le 1024) { Set-ADGroup -Identity $GroupExist -Add @{Info=$DeptName} } # End If. } # End If-Else
The first thing to know is that this code is inside of a looping construct — a Foreach
loop to be exact. Each time we start a new loop, we bring in a different one of our departments, stored in the $GroupExist
variable. On line 3, we use its Name
property as a part of a Get-ADGroup
command and return only the value inside the Info field. Remember, this is the Notes field in the UI. It’s either going to have some data in it, or it’s not. All previously existing departments will already have something in here. It’s new departments that will not.
Once we have, or we don’t have, this data, we go one of two ways. As stated, every department is going to have its department name added to its Notes field. If we don’t return any info from our Get-ADGroup
command, we can rest assured, that there’s nothing in this field already and that we only need to add the department name, without any worry about any previously existing data in this field. This If
statement begins on line 4, however, in this situation, we’re taking the Else
path on line 19. Once there, we check if the length of the department name, stored in $DeptName
is longer than 1,024 characters. That will never happen — seriously — but I added the check just in case. I do want to note here that this $DeptName
variable changes within our unseen Foreach
loop, during each iteration as well.
If there is already a department name or names, then we follow the If
path. Let’s deconstruct that, as well. It’s a little more complex.
If our Info/Notes field is already populated, then we need to make some checks before we potentially add a department’s current department name. The first thing we do with the value we’ve returned, as $GroupInfo
, is split it at our delimiter — the pipe character on line 6. If there’s only one department name (no delimiter), it will only return that one department name, and that’ll work out just fine. Next, we compare our department name in $DeptName
to the value, or values, returned by our split operation. If the current department name is included in our results, we exit — there’s nothing more to do.
Now, if our current department name is not included in our results, we append it to our $GroupInfo
variable. At that point, we’ll have this variable with the newest department name appended to the end of this string, where each previous department name is also included with the pipe character in between each. Following this step, our code checks the length of the value stored in $GroupInfo
and will only act if its length is greater than those 1,024 characters.
If it is, we run our variable through a Do-Until
language construct. For every iteration through the Do-Until
, we split our value at the first pipe character from the left of the string and keep everything to the right. We’ll continue to do this, over and over, until our length is less than 1,024 characters.
And that it’s. We can maintain all of a department’s previous department names and ensure they’ll always fit into our Notes field.