Clear multi attribute with content for AD users

jan-mikkelsen · April 13, 2016, 6:04pm

I would like to Clear all the multible attributes for my AD users(reminiscence from Old Office Communication server installation):
I tried the following, but i can’t seem to get past this error:

Get-ADUser : Error parsing query: '{(msRTCSIP-ArchivingEnabled -like "*") -or (msRTCSIP-FederationEnabled -like "*") -or (msRTCSIP-InternetAccessEnabled -like "*") -or (msRTCSIP-Lin
e -like "*") -or (msRTCSIP-LineServer -like "*") -or (msRTCSIP-OptionFlags -like "*") -or (msRTCSIP-OriginatorSid -like "*") -or (msRTCSIP-PrimaryHomeServer -like "*") -or (msRTCSIP
-PrimaryUserAddress -like "*") -or (msRTCSIP-TargetHomeServer -like "*") -or (msRTCSIP-UserEnabled -like "*") -or (msRTCSIP-UserExtension -like "*") -or (msRTCSIP-UserPolicy -like "
*")}' Error Message: 'syntax error' at position: '1'.
At C:\Users\XXXX\OneDrive\Build-Filter.ps1:32 char:1
+ Get-ADUser -Filter $Filter
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ParserError: (:) [Get-ADUser], ADFilterParsingException
    + FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADFilterParsingException,Microsoft.ActiveDirectory.Management.Commands.GetADUser

This is my code:

$exattr=@(
    'msRTCSIP-ArchivingEnabled',
    'msRTCSIP-FederationEnabled',
    'msRTCSIP-InternetAccessEnabled',
    'msRTCSIP-Line',
    'msRTCSIP-LineServer',
    'msRTCSIP-OptionFlags',
    'msRTCSIP-OriginatorSid',
    'msRTCSIP-PrimaryHomeServer',
    'msRTCSIP-PrimaryUserAddress',
    'msRTCSIP-TargetHomeServer',
    'msRTCSIP-UserEnabled',
    'msRTCSIP-UserExtension',
    'msRTCSIP-UserPolicy'
)

# Build -Filter String
$exattr | Foreach-Object -Begin {
    $Filter = "{"
} -Process {
    $Filter += "($_"
    $Filter += " -like "
    $Filter += '"*"'
    $Filter += ") "
    $Filter += "-or "

} -End {
    $Filter += "}"
}
$Filter=$Filter.Replace(" -or }","}") 
# Get AD users with attributes having content
Get-ADUser -Filter $Filter

If i write it all by hand, it works, but I rather like to do it smarter:

Get-ADUser -Filter {(msRTCSIP-PrimaryHomeServer -like "*") -or (msRTCSIP-PrimaryUserAddress -like "SIP:*") -or (msRTCSIP-UserEnabled -like "*")}

What am i doing wrong?

rdtechie · April 13, 2016, 8:26pm

Actually you don’t need to search first if user objects already have a value present or not. You can just null everything. Here’s one approach to do this. I’m using splatting here to feed the parameters to the Set-ADUser Cmdlet:

$extraProperties = @(
  'msRTCSIP-ArchivingEnabled', 
  'msRTCSIP-FederationEnabled', 
  'msRTCSIP-InternetAccessEnabled', 
  'msRTCSIP-Line', 
  'msRTCSIP-LineServer', 
  'msRTCSIP-OptionFlags', 
  'msRTCSIP-OriginatorSid', 
  'msRTCSIP-PrimaryHomeServer', 
  'msRTCSIP-PrimaryUserAddress', 
  'msRTCSIP-TargetHomeServer', 
  'msRTCSIP-UserEnabled', 
  'msRTCSIP-UserExtension', 
  'msRTCSIP-UserPolicy'
)

$users = Get-ADUser -Filter * -Properties $extraProperties

foreach ( $user in $users) {

  $args = @{
    Identity 													= $($user.SamAccountName)
    'msRTCSIP-ArchivingEnabled'				= $null
    'msRTCSIP-FederationEnabled' 			= $null
    'msRTCSIP-InternetAccessEnabled'	= $null
    'msRTCSIP-Line' 									= $null
    'msRTCSIP-LineServer' 						= $null
    'msRTCSIP-OptionFlags' 						= $null
    'msRTCSIP-OriginatorSid' 					= $null
    'msRTCSIP-PrimaryHomeServer' 			= $null
    'msRTCSIP-PrimaryUserAddress' 		= $null
    'msRTCSIP-TargetHomeServer' 			= $null
    'msRTCSIP-UserEnabled' 						= $null
    'msRTCSIP-UserExtension' 					= $null
    'msRTCSIP-UserPolicy' 						= $null
  }

  Set-ADUser @args
  
}

jan-mikkelsen · April 13, 2016, 9:43pm

When i run the code i get the following error:

Set-ADUser : A parameter cannot be found that matches parameter name 'msRTCSIP-OriginatorSid'.
At C:\Users\XXXX\OneDrive\ADUser-Clear-multi-Attribute-multi-users_exprimental.ps1:38 char:14
+   Set-ADUser @args -WhatIf
+              ~~~~~
    + CategoryInfo          : InvalidArgument: (:) [Set-ADUser], ParameterBindingException
    + FullyQualifiedErrorId : NamedParameterNotFound,Microsoft.ActiveDirectory.Management.Commands.SetADUser

rdtechie · April 13, 2016, 9:54pm

Ah yes, sorry, those attributes don’t have a named parameter in the Set-ADUser Cmdlet. So you need to use the -replace parameter. Try this:

$users = Get-ADuser -Filter * -Properties $extraProperties

foreach ( $user in $users ) 
{
  Set-ADUser -Identity $($user.SamAccountName) -Replace @{
    'msRTCSIP-ArchivingEnabled' = $null
    'msRTCSIP-FederationEnabled' = $null
    'msRTCSIP-InternetAccessEnabled' = $null
    'msRTCSIP-Line' = $null
    'msRTCSIP-LineServer' = $null
    'msRTCSIP-OptionFlags' = $null
    'msRTCSIP-OriginatorSid' = $null
    'msRTCSIP-PrimaryHomeServer' = $null
    'msRTCSIP-PrimaryUserAddress' = $null
    'msRTCSIP-TargetHomeServer'	= $null
    'msRTCSIP-UserEnabled' = $null
    'msRTCSIP-UserExtension' = $null
    'msRTCSIP-UserPolicy' = $null
  }
}

jan-mikkelsen · April 13, 2016, 11:38pm

I tried it, but now i get this errer:

Set-ADUser : Cannot validate argument on parameter 'Replace'. The argument is null or an element of the argument collection contains a null value.
At C:\Users\XXXX\OneDrive - JP-Politikens Hus\Work\PS\SfB\ADUser-Clear-multi-Attribute-multi-users_exprimental.ps1:21 char:57
+   Set-ADUser -Identity $($user.SamAccountName) -Replace @{
+                                                         ~~
    + CategoryInfo          : InvalidData: (:) [Set-ADUser], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.ActiveDirectory.Management.Commands.SetADUser

rdtechie · April 14, 2016, 12:15am

Try to execute it in PowerShell ISE.

tmac · May 2, 2017, 11:12pm

You can’t set AD attribute to “null” in that way - it must be “cleared”. Also, I found that in our environment, the msRTCSIP attributes have quite different names.

My preferred method was to simply find all the msRTCSIP attributes in the account (since they all have the same prefix, why not) and clear them. It’s hitting AD three times rather than just twice, but the first is just to compile the user list - intelligent filters will help.

The only tricky part was that the attributes are “NoteProperty” types - all we wanted was the attribute names and not the values.

$users = Get-ADUser -Filter * -SearchBase "OU=Disabled Users..."
foreach ( $u in $users) {
    $RTCprops = (Get-ADUser $u | Select "msRTCSIP*").psobject.properties | select -expandproperty name
    Set-ADUser $u -Clear @($RTCprops)
}

Topic		Replies	Views
Clear 2 attributes for selected Users PowerShell Help	2	219	September 10, 2020
Batch update All OU PowerShell Help	5	136	April 4, 2022
Problem with command arguments PowerShell Help	1	126	November 23, 2015
Query ADUsers in .csv, set-ADUser attrib with array property PowerShell Help	4	127	May 3, 2016
Set-ADUser in multiple domains PowerShell Help	3	190	March 20, 2020

Clear multi attribute with content for AD users

Related Topics