internal/functions/Resolve-Identity.ps1

function Resolve-Identity
{
<#
    .SYNOPSIS
        Returns the type of the identifier string offered.
     
    .DESCRIPTION
        Returns the type of the identifier string offered.
        Can differentiate between distinguished names, objectGuid or SID.
        Will not perform any network calls to validate results.
     
    .PARAMETER Name
        The name to resolve
     
    .PARAMETER GetFilterCondition
        Returns a valid ldap filter condition instead of just the type
     
    .PARAMETER AllowSamAccountName
        By default, only DNs, Guids and SIDs are accepted as identifiers.
        All other inputs cause errors.
        By setting this switch, we also allow SamAccountNames as fourth input option.
        This is inherently less precise and should only be used with object types supporting that property.
     
    .EXAMPLE
        PS C:\> Resolve-Identity -Name '92469e61-8005-4c6d-b17c-478118f66c20'
         
        Validates that the specified string is a GUID.
#>

    [OutputType([string])]
    [CmdletBinding()]
    param (
        [Parameter(Mandatory = $true)]
        [string]
        $Name,
        
        [switch]
        $GetFilterCondition,
        
        [switch]
        $AllowSamAccountName
    )
    
    if ($Name -match '^(\{{0,1}([0-9a-fA-F]){8}-([0-9a-fA-F]){4}-([0-9a-fA-F]){4}-([0-9a-fA-F]){4}-([0-9a-fA-F]){12}\}{0,1})$') { $type = 'Guid' }
    elseif ($Name -like "*=*") { $type = 'DN' }
    elseif ($Name -match '^S-1-5-21-\d{7}-\d{9}-\d{9}-\d+$') { $type = 'SID' }
    elseif ($AllowSamAccountName) { $type = 'SamAccountName' }
    else { $type = 'Unknown' }
    
    if (-not $GetFilterCondition) { return $type }
    
    switch ($type)
    {
        'SID' { "(objectSID=$($Name))" }
        'Guid'
        {
            $bytes = ([guid]$Name).ToByteArray()
            $segments = foreach ($byte in $bytes)
            {
                "\{0}" -f ([convert]::ToString($byte, 16))
            }
            "(objectGuid=$($segments -join ''))"
        }
        'DN' { "(distinguishedName=$($Name))" }
        default
        {
            if ($AllowSamAccountName) { "(samAccountName=$($Name))" }
            else { throw "Unknown identity type: $Name" }
        }
    }
}