Clear multi attribute with content for AD users

This topic contains 6 replies, has 3 voices, and was last updated by Profile photo of TMac TMac 1 month, 3 weeks ago.

  • Author
    Posts
  • #37718
    Profile photo of Jan Mikkelsen
    Jan Mikkelsen
    Participant

    I would like to Clear all the multible attributes for my AD users(reminiscence from Old Office Communication server installation):
    I tried the following, but i can't seem to get past this error:

    Get-ADUser : Error parsing query: '{(msRTCSIP-ArchivingEnabled -like "*") -or (msRTCSIP-FederationEnabled -like "*") -or (msRTCSIP-InternetAccessEnabled -like "*") -or (msRTCSIP-Lin
    e -like "*") -or (msRTCSIP-LineServer -like "*") -or (msRTCSIP-OptionFlags -like "*") -or (msRTCSIP-OriginatorSid -like "*") -or (msRTCSIP-PrimaryHomeServer -like "*") -or (msRTCSIP
    -PrimaryUserAddress -like "*") -or (msRTCSIP-TargetHomeServer -like "*") -or (msRTCSIP-UserEnabled -like "*") -or (msRTCSIP-UserExtension -like "*") -or (msRTCSIP-UserPolicy -like "
    *")}' Error Message: 'syntax error' at position: '1'.
    At C:\Users\XXXX\OneDrive\Build-Filter.ps1:32 char:1
    + Get-ADUser -Filter $Filter
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : ParserError: (:) [Get-ADUser], ADFilterParsingException
        + FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADFilterParsingException,Microsoft.ActiveDirectory.Management.Commands.GetADUser
    

    This is my code:

    $exattr=@(
        'msRTCSIP-ArchivingEnabled',
        'msRTCSIP-FederationEnabled',
        'msRTCSIP-InternetAccessEnabled',
        'msRTCSIP-Line',
        'msRTCSIP-LineServer',
        'msRTCSIP-OptionFlags',
        'msRTCSIP-OriginatorSid',
        'msRTCSIP-PrimaryHomeServer',
        'msRTCSIP-PrimaryUserAddress',
        'msRTCSIP-TargetHomeServer',
        'msRTCSIP-UserEnabled',
        'msRTCSIP-UserExtension',
        'msRTCSIP-UserPolicy'
    )
    
    # Build -Filter String
    $exattr | Foreach-Object -Begin {
        $Filter = "{"
    } -Process {
        $Filter += "($_"
        $Filter += " -like "
        $Filter += '"*"'
        $Filter += ") "
        $Filter += "-or "
    
    } -End {
        $Filter += "}"
    }
    $Filter=$Filter.Replace(" -or }","}") 
    # Get AD users with attributes having content
    Get-ADUser -Filter $Filter
    

    If i write it all by hand, it works, but I rather like to do it smarter:

    Get-ADUser -Filter {(msRTCSIP-PrimaryHomeServer -like "*") -or (msRTCSIP-PrimaryUserAddress -like "SIP:*") -or (msRTCSIP-UserEnabled -like "*")}
    

    What am i doing wrong?

  • #37727
    Profile photo of Richard Diphoorn
    Richard Diphoorn
    Participant

    Actually you don't need to search first if user objects already have a value present or not. You can just null everything. Here's one approach to do this. I'm using splatting here to feed the parameters to the Set-ADUser Cmdlet:

    $extraProperties = @(
      'msRTCSIP-ArchivingEnabled', 
      'msRTCSIP-FederationEnabled', 
      'msRTCSIP-InternetAccessEnabled', 
      'msRTCSIP-Line', 
      'msRTCSIP-LineServer', 
      'msRTCSIP-OptionFlags', 
      'msRTCSIP-OriginatorSid', 
      'msRTCSIP-PrimaryHomeServer', 
      'msRTCSIP-PrimaryUserAddress', 
      'msRTCSIP-TargetHomeServer', 
      'msRTCSIP-UserEnabled', 
      'msRTCSIP-UserExtension', 
      'msRTCSIP-UserPolicy'
    )
    
    $users = Get-ADUser -Filter * -Properties $extraProperties
    
    foreach ( $user in $users) {
    
      $args = @{
        Identity 													= $($user.SamAccountName)
        'msRTCSIP-ArchivingEnabled'				= $null
        'msRTCSIP-FederationEnabled' 			= $null
        'msRTCSIP-InternetAccessEnabled'	= $null
        'msRTCSIP-Line' 									= $null
        'msRTCSIP-LineServer' 						= $null
        'msRTCSIP-OptionFlags' 						= $null
        'msRTCSIP-OriginatorSid' 					= $null
        'msRTCSIP-PrimaryHomeServer' 			= $null
        'msRTCSIP-PrimaryUserAddress' 		= $null
        'msRTCSIP-TargetHomeServer' 			= $null
        'msRTCSIP-UserEnabled' 						= $null
        'msRTCSIP-UserExtension' 					= $null
        'msRTCSIP-UserPolicy' 						= $null
      }
    
      Set-ADUser @args
      
    }
    
  • #37733
    Profile photo of Jan Mikkelsen
    Jan Mikkelsen
    Participant

    When i run the code i get the following error:

    Set-ADUser : A parameter cannot be found that matches parameter name 'msRTCSIP-OriginatorSid'.
    At C:\Users\XXXX\OneDrive\ADUser-Clear-multi-Attribute-multi-users_exprimental.ps1:38 char:14
    +   Set-ADUser @args -WhatIf
    +              ~~~~~
        + CategoryInfo          : InvalidArgument: (:) [Set-ADUser], ParameterBindingException
        + FullyQualifiedErrorId : NamedParameterNotFound,Microsoft.ActiveDirectory.Management.Commands.SetADUser
    
  • #37736
    Profile photo of Richard Diphoorn
    Richard Diphoorn
    Participant

    Ah yes, sorry, those attributes don't have a named parameter in the Set-ADUser Cmdlet. So you need to use the -replace parameter. Try this:

    $users = Get-ADuser -Filter * -Properties $extraProperties
    
    foreach ( $user in $users ) 
    {
      Set-ADUser -Identity $($user.SamAccountName) -Replace @{
        'msRTCSIP-ArchivingEnabled' = $null
        'msRTCSIP-FederationEnabled' = $null
        'msRTCSIP-InternetAccessEnabled' = $null
        'msRTCSIP-Line' = $null
        'msRTCSIP-LineServer' = $null
        'msRTCSIP-OptionFlags' = $null
        'msRTCSIP-OriginatorSid' = $null
        'msRTCSIP-PrimaryHomeServer' = $null
        'msRTCSIP-PrimaryUserAddress' = $null
        'msRTCSIP-TargetHomeServer'	= $null
        'msRTCSIP-UserEnabled' = $null
        'msRTCSIP-UserExtension' = $null
        'msRTCSIP-UserPolicy' = $null
      }
    }
    
  • #37753
    Profile photo of Jan Mikkelsen
    Jan Mikkelsen
    Participant

    I tried it, but now i get this errer:

    Set-ADUser : Cannot validate argument on parameter 'Replace'. The argument is null or an element of the argument collection contains a null value.
    At C:\Users\XXXX\OneDrive - JP-Politikens Hus\Work\PS\SfB\ADUser-Clear-multi-Attribute-multi-users_exprimental.ps1:21 char:57
    +   Set-ADUser -Identity $($user.SamAccountName) -Replace @{
    +                                                         ~~
        + CategoryInfo          : InvalidData: (:) [Set-ADUser], ParameterBindingValidationException
        + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.ActiveDirectory.Management.Commands.SetADUser
    
  • #37759
    Profile photo of Richard Diphoorn
    Richard Diphoorn
    Participant

    Try to execute it in PowerShell ISE.

  • #69985
    Profile photo of TMac
    TMac
    Participant

    You can't set AD attribute to "null" in that way – it must be "cleared". Also, I found that in our environment, the msRTCSIP attributes have quite different names.

    My preferred method was to simply find all the msRTCSIP attributes in the account (since they all have the same prefix, why not) and clear them. It's hitting AD three times rather than just twice, but the first is just to compile the user list – intelligent filters will help.

    The only tricky part was that the attributes are "NoteProperty" types – all we wanted was the attribute names and not the values.

    $users = Get-ADUser -Filter * -SearchBase "OU=Disabled Users..."
    foreach ( $u in $users) {
        $RTCprops = (Get-ADUser $u | Select "msRTCSIP*").psobject.properties | select -expandproperty name
        Set-ADUser $u -Clear @($RTCprops)
    }
    

You must be logged in to reply to this topic.