If you run net ads join OU#50, you will get the invalid_dn_syntax error. This is a valid OU, so net should be able to add our machine account there. To reproduce: 1. Create an OU named OU#55 2. Run net ads join OU#55 -Uadministrator%password 3. Notice the error
A little more info here: an OU cannot contain a # unless it is escaped. This is LDAP syntax. If you actually look in the LDAP tree in your domain, OU#55 will be called ou=OU\#55,dc=...etc. However, we currently assume all \ and / characters mean that string is supposed to be converted to a "path" of OUs, so OU\#55 is converted to ou=#55,ou=OU,dc=... and a\b\c would be ou=c,ou=b,ou=a,dc=... I'm proposing that we change it to only accept / as a separator, but I'm waiting for some feedback first.
Fixed in r14931. Sorry it took so long to check in. I changed it to use only '/' as the separator for multiple levels of OU. Special chars such as # aren't allowed in LDAP, but ads uses '\' to escape them. The join will require "ou\\#55" on the commandline, as you need to escape the escape char :-).