Author Posts

July 19, 2014 at 5:27 am

Hi All,

So i've just finished the MVP Powershell course and figure i should put it too good use. Nothing better than practise, right?

We've moved our Exchnage services to O365 and i've been tasked with removing X500 / x500 (both are present) values from the "proxyAddresses" attribute for all users.

So, I've been able to remove an individual value from an individual AD Account using this;

Set-ADUser -Identity "username" -Remove @{proxyAddresses="x500Value"}

However, their are two values for each user. So i'd like to say;

Set-ADUser -Identity * -Remove @{proxyAddresses="*500*"}

This does run without error but doesn't remove anything. I'm assuming that this is because it's recognising the 'wildcard' (in proxyAddresses value) as a character instead of a 'wildcard' in the value but i've no idea what to do about it.

All help much appreciated.

Adam

July 19, 2014 at 6:08 am

AD itself doesn't recognize wild cards, and it's the one processing the operation. There's nothing you can do about it; it's a limitation of the technology.

July 19, 2014 at 6:20 am

Hi Don,

Thanks for your response. Please don't take this as anything other than my attempt to understand (i've a long curve ahead of me i think). 🙂

If i enter PSSession with DC and run;

Get-ADUser *

= This outputs every user object in my environment which would indicate it had recognised the 'wildcard'? Or is something else processing this?

Thanks,
Adam

July 19, 2014 at 6:47 am

Certain parameters support wildcards. That * that you passed to Get-ADUser happens to be assigned to its "Filter" parameter, which does.

However, you can't just stick wildcards anywhere you like. The -Identity parameter to Set-ADUser and the values in the hashtable that you pass to -Remove probably don't do any sort of wildcard matching (though I haven't tested that myself.) That doesn't mean that you can't conceptually make this work, just that it takes more work on your part. You need to have a script which fetches one or more users, looks through their proxyAddresses attribute for matching values, and removes them explicitly. Something like this (again, not tested; I don't have an AD environment up on my home lab at the moment. Remove the -WhatIf parameter from the Set-ADUser command once you're confident it's doing the right thing.)

$users = Get-ADUser * -Properties proxyAddresses
foreach ($user in $users)
{
    $addressesToRemove = @($user.proxyAddresses) -like '*500*'
    if ($addressesToRemove.Count -gt 0)
    {
        Set-ADUser -Identity $user.DistinguishedName -Remove @{proxyAddresses = $addressesToRemove} -WhatIf
    }
}

Note: It may be possible to speed this up by filtering the Get-ADUser command with something like -Filter 'ProxyAddresses -like "*500*"' , but since I can't test that at the moment, I went something that I was confident should work.

July 19, 2014 at 7:03 am

Hi Dave,

Thank you for taking the time to respond to the question, scary stuff this PowerShell and there's only so much you can pull from Google and Help files.. 🙂

I shall test this (and break down the function so i understand a bit better) and will post back here to let you know how i get on. Assuming you're interested!

Thanks Again,
Adam

July 21, 2014 at 11:50 am

Hi Guys,

As promised, I got back in to the office today and tried this out.

Dave – Thanks very much, did the trick. The only change i had to make, ironically, is that i had to specify "*" as a '-Filter'!

So workable script turned out as;

 $users = Get-ADUser -Filter * -Properties proxyAddresses
foreach ($user in $users)
{
    $addressesToRemove = @($user.proxyAddresses) -like '*500*'
    if ($addressesToRemove.Count -gt 0)
    {
        Set-ADUser -Identity $user.DistinguishedName -Remove @{proxyAddresses = $addressesToRemove}
    }
} 

Thanks for all your help! Much appreciated.

Adam