Adding and removing extensionattribute to AD object - powershell

I'm using powershell to modify some AD extensionattribute.
This is my code to add an extensionattribute
Set-ADUser -Identity "anyUser" -Add #{extensionAttribute4="myString"}
It works, but how can I remove the same extensionattribute? I can't find anything similar to -remove.

You could try using the -Clear parameter
Example:-Clear Attribute1LDAPDisplayName, Attribute2LDAPDisplayName
http://technet.microsoft.com/en-us/library/ee617215.aspx

I used the following today - It works!
Add a value to an extensionAttribute
$ThisUser = Get-ADUser -Identity $User -Properties extensionAttribute1
Set-ADUser –Identity $ThisUser -add #{"extensionattribute1"="MyString"}
Remove a value from an extensionAttribute
$ThisUser = Get-ADUser -Identity $User -Properties extensionAttribute1
Set-ADUser –Identity $ThisUser -Clear "extensionattribute1"

I have struggled a long time to modify the extension attributes in our domain.
Then I wrote a powershell script and created an editor with a GUI to set and remove extAttributes from an account.
If you like, you can take a look at it at http://toolbocks.de/viewtopic.php?f=3&t=4
I'm sorry, that the description in the text is in German. The GUI itself is in English.
I use this script on a regular basis in our domain and it never deleted anything or did any other harm. I provide no guarantee, that this script works as expected in your domain. But as I provide the source, you can (and should) have a look at it, before you run it.

Extension attributes are added by Exchange. According to this Technet article something like this should work:
Set-Mailbox -Identity "anyUser" -ExtensionCustomAttribute4 #{Remove="myString"}

Or the -Remove parameter
Set-ADUser -Identity anyUser -Remove #{extensionAttribute4="myString"}

To clear the value you can always reset it to $Null. For example:
Set-Mailbox -Identity "username" -CustomAttribute1 $Null

Set-ADUser -Identity anyUser -Replace #{extensionAttribute4="myString"}
This is also usefull

Related

Bulk Disable PowerShell Script Not Executing

I am kinda new to powershell and started a role in support. Working on a powershell script that will do the following things:
Disable a user account
Remove all AD Groups except for Domain Users
Edit the description
Move AD object to a disabled users OU
I think I can probalby change the "$TargetOU = OUPath" because the disabled users OU is never really going to change...if that's the issue then i'll feel like a dumby lol.
I am trying and failing to complete this! I don't know what is going wrong. Powershell isn't faulting out or anything it is just not executing?
Thank you for any help!
My code is here:
Import-Module ActiveDirectory
$TargetOU = "OU=DisabledUsers"
Import-Csv "C:temp\DisableTest.csv" | ForEach-Object {
$samAccountName = $_."samAccountName"
Get-AdPrincipalGroupMembership -Identity $samAccountName {Where-Object -Property Name -Ne -Value 'Domain Users' | Remove-AdGroupMember -Members $samAccountName}
Get-ADUser -Identity $samAccountName | Disable-ADAccount
Get-ADUser -Identity $samAccountName -Description "Disabled Per Request XXXX"
Move-ADObject -Identity $UserDN -TargetPath $TargetOU
}
Need it to do four things:
Disable a user account
Remove all AD Groups except for Domain Users
Edit the description
Move AD object to a disabled users OU
You have several issues:
$TargetOU = "OU=DisabledUsers"
This should be the full distinguished name, so something like OU=DisabledUsers,DC=example,DC=com
Get-AdPrincipalGroupMembership -Identity $samAccountName {Where-Object -Property Name -Ne -Value 'Domain Users' | Remove-AdGroupMember -Members $samAccountName}
The sytax here is messed up. You want to pipe (|) the results from Get-AdPrincipalGroupMembership into Where-Object, but you have braces ({). The closing brace at the end of the line is thus unnecessary. The Where-Object cmdlet also lets you simplify the syntax to something more readable, like Where Name -ne 'Domain Users'.
Get-ADUser -Identity $samAccountName -Description "Disabled Per Request XXXX"
This should be Set-ADUser, which is explains why this isn't changing anything.
Move-ADObject -Identity $UserDN -TargetPath $TargetOU
You haven't defined $UserDN, so it's not going to find the user. And as already mentioned , the target path should be the full distinguished name.
You're also looking up the account several times. Every time you pass just the username, it has to search for the account. As you have it, it would be searching for the account 5 times. You can avoid that (and speed things up) by calling Get-ADUser once and passing the result into each of the other commands.
And just for simplicity, you can omit -Identity since the first parameter is assumed to be the identity.
Putting everything together, it would look something like this:
Import-Module ActiveDirectory
$TargetOU = "OU=DisabledUsers,DC=example,DC=com" #Change this to the real value
Import-Csv "C:temp\DisableTest.csv" | ForEach-Object {
$user = Get-ADUser $_."samAccountName"
Get-AdPrincipalGroupMembership $user | Where Name -ne 'Domain Users' | Remove-AdGroupMember -Members $user
Disable-ADAccount $user
Set-ADUser $user -Description "Disabled Per Request XXXX"
Move-ADObject $user -TargetPath $TargetOU
}

get all computer accounts and remove-ADPrincipalGroupMembership

I'm trying to remove all the principal group memberships starting with the name of all computer accounts in one specific ou.
I've tried browsing to the OU with the AD provider, typing gci and getting a list of all the computers in the ou to find their ADPrincipalGroupMembership which works. Also, using get-adcomputer -searchbase <ou> -filter * works too. But I can't then remove every group that each machine is a member of.
When I then try to expand on that with remove-ADPrincipalGroupMembership, my input for the groups to remove are system.string and remove-ADPrincipalGroupMembership won't accept that. I have something like this so far/
Get-ADComputer -SearchBase 'OU=blahblah' -Filter * |
Remove-ADPrincipalGroupMembership -MemberOf (Get-ADGroup -Filter 'name -like "17"')
I've read help and examples but I can't find how to do this. I don't want to give up and just use the gui :)
thank you
You can try this...I am not able to test it to confirm it works, but I think it should.
$Comps = Get-ADComputer -SearchBase 'OU=blahblah' -Filter * -Prop MemberOf
Foreach ($Comp in $Comps)
{
$Groups = $Comp.MemberOf | ? {$_ -like "CN=17*"}
if ($Groups)
{
Remove-ADPrincipalGroupMembership -Identity $Comp -MemberOf $Groups -Whatif #-Confirm $False
}
}
Assuming it works with the -whatif statement, by default I believe that command will prompt you if you're sure about each removal which could be a pain so you could uncomment -confirm $false to try and avoid that.
Also it is assuming the distinguished name of each group is going to be something along the lines of
CN=17groupA,OU=Computer Groups,OU=Computer,DC=TEST,DC=NET

Is it possible to set a users memberOf property in Active Directory using Powershell

I need to create a Powershell script that sets some user attributes in Active Directory.
I'm using the Set-AdUser command and passing in a user object as follows:
$user = Get-AdUser -Identity $userIdentity
$user.MemberOf = $dn_of_group
Set-ADUser -Instance $user
this returns an error of 'The adapter cannot set the value of property "MemberOf"'.
Is it possible to set the MemberOf property from powershell?
If so, what am I doing wrong?
You cannot modify the MemberOf property - you need to add the user to the group using the Add-ADGroupMember Cmdlet:
Add-ADGroupMember $dn_of_group $user

get contacts distributiongroups

I'm creating a script to manage contacts and users on Exchange 2010 via Powershell. Especially we try to get all distributiongroups of a contact/user.
Is there a way to get the distribution groups of a contact/user? Perhabs without searching in all distributiongroups?
It can be done by using Get-ADObject using the contact's guid:
$contact = Get-MailContact domainname\contactname
(Get-ADObject -Identity $contact.Guid -Properties 'MemberOf').MemberOf
I had errors following the command above, the following tweek worked for me.
(Get-ADObject -Identity $contact.Guid -Properties 'MemberOf' |
Select-Object MemberOf).MemberOf

PowerShell Add 1 day to the AccountExpire attribute of an AD user

As topic states. How can I put 1 extra day to the selected user account.
I know AD goes by Windows File Time. Does anyone know the easiest and least code written method?
You can modify the accountExpires property of an AD user through the Set-ADUser cmdlet included in Windows Server 2008 R2:
Import-Module activedirectory
$expireDate = (Get-ADUser -Identity "John Appleseed" -Properties accountExpires).accountExpires
$renewedExpireDate = ([System.DateTime]::FromFileTime($expireDate)).AddDays(1)
Set-ADUser -Identity "John Appleseed" -AccountExpirationDate $renewedExpireDate
As you said, the value of the accountExpires property is represented as a Windows file time, which is a 64-bit integer. In this example we convert it to a DateTime to easily modify it and then pass it to the -AccountExpirationDate parameter to update the user.
Using Quest AD module:
Set-qaduser <username> -AccountExpires ( [datetime]( get-qaduser <username> -IncludeAllProperties ).AccountExpires ).AddDays(1)
This can also be accomplished in a multi domain environment by adding the -server switch and passing in the domain string (i.e. "domain.corp.root"). I also had to move the .accountExpires as it was in the wrong place in this code sample. Thanks for providing this, it was exactly what I needed.
Import-Module ActiveDirectory
$expireDate = (Get-ADUser -Identity "samaccountname" -Properties accountExpires -server "domain.corp.root")
$renewedExpireDate = ([System.DateTime]::FromFileTime($expireDate.accountExpires)).AddDays(1)
Set-ADUser -Identity "samaccountname" -AccountExpirationDate $renewedExpireDate -server "domain.corp.root"