Clear multi attribute with content for AD users

I would like to Clear all the multible attributes for my AD users(reminiscence from Old Office Communication server installation):
I tried the following, but i can’t seem to get past this error:

Get-ADUser : Error parsing query: '{(msRTCSIP-ArchivingEnabled -like "*") -or (msRTCSIP-FederationEnabled -like "*") -or (msRTCSIP-InternetAccessEnabled -like "*") -or (msRTCSIP-Lin
e -like "*") -or (msRTCSIP-LineServer -like "*") -or (msRTCSIP-OptionFlags -like "*") -or (msRTCSIP-OriginatorSid -like "*") -or (msRTCSIP-PrimaryHomeServer -like "*") -or (msRTCSIP
-PrimaryUserAddress -like "*") -or (msRTCSIP-TargetHomeServer -like "*") -or (msRTCSIP-UserEnabled -like "*") -or (msRTCSIP-UserExtension -like "*") -or (msRTCSIP-UserPolicy -like "
*")}' Error Message: 'syntax error' at position: '1'.
At C:\Users\XXXX\OneDrive\Build-Filter.ps1:32 char:1
+ Get-ADUser -Filter $Filter
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ParserError: (:) [Get-ADUser], ADFilterParsingException
    + FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADFilterParsingException,Microsoft.ActiveDirectory.Management.Commands.GetADUser

This is my code:


# Build -Filter String
$exattr | Foreach-Object -Begin {
    $Filter = "{"
} -Process {
    $Filter += "($_"
    $Filter += " -like "
    $Filter += '"*"'
    $Filter += ") "
    $Filter += "-or "

} -End {
    $Filter += "}"
$Filter=$Filter.Replace(" -or }","}") 
# Get AD users with attributes having content
Get-ADUser -Filter $Filter

If i write it all by hand, it works, but I rather like to do it smarter:

Get-ADUser -Filter {(msRTCSIP-PrimaryHomeServer -like "*") -or (msRTCSIP-PrimaryUserAddress -like "SIP:*") -or (msRTCSIP-UserEnabled -like "*")}

What am i doing wrong?

Actually you don’t need to search first if user objects already have a value present or not. You can just null everything. Here’s one approach to do this. I’m using splatting here to feed the parameters to the Set-ADUser Cmdlet:

$extraProperties = @(

$users = Get-ADUser -Filter * -Properties $extraProperties

foreach ( $user in $users) {

  $args = @{
    Identity 													= $($user.SamAccountName)
    'msRTCSIP-ArchivingEnabled'				= $null
    'msRTCSIP-FederationEnabled' 			= $null
    'msRTCSIP-InternetAccessEnabled'	= $null
    'msRTCSIP-Line' 									= $null
    'msRTCSIP-LineServer' 						= $null
    'msRTCSIP-OptionFlags' 						= $null
    'msRTCSIP-OriginatorSid' 					= $null
    'msRTCSIP-PrimaryHomeServer' 			= $null
    'msRTCSIP-PrimaryUserAddress' 		= $null
    'msRTCSIP-TargetHomeServer' 			= $null
    'msRTCSIP-UserEnabled' 						= $null
    'msRTCSIP-UserExtension' 					= $null
    'msRTCSIP-UserPolicy' 						= $null

  Set-ADUser @args

When i run the code i get the following error:

Set-ADUser : A parameter cannot be found that matches parameter name 'msRTCSIP-OriginatorSid'.
At C:\Users\XXXX\OneDrive\ADUser-Clear-multi-Attribute-multi-users_exprimental.ps1:38 char:14
+   Set-ADUser @args -WhatIf
+              ~~~~~
    + CategoryInfo          : InvalidArgument: (:) [Set-ADUser], ParameterBindingException
    + FullyQualifiedErrorId : NamedParameterNotFound,Microsoft.ActiveDirectory.Management.Commands.SetADUser

Ah yes, sorry, those attributes don’t have a named parameter in the Set-ADUser Cmdlet. So you need to use the -replace parameter. Try this:

$users = Get-ADuser -Filter * -Properties $extraProperties

foreach ( $user in $users ) 
  Set-ADUser -Identity $($user.SamAccountName) -Replace @{
    'msRTCSIP-ArchivingEnabled' = $null
    'msRTCSIP-FederationEnabled' = $null
    'msRTCSIP-InternetAccessEnabled' = $null
    'msRTCSIP-Line' = $null
    'msRTCSIP-LineServer' = $null
    'msRTCSIP-OptionFlags' = $null
    'msRTCSIP-OriginatorSid' = $null
    'msRTCSIP-PrimaryHomeServer' = $null
    'msRTCSIP-PrimaryUserAddress' = $null
    'msRTCSIP-TargetHomeServer'	= $null
    'msRTCSIP-UserEnabled' = $null
    'msRTCSIP-UserExtension' = $null
    'msRTCSIP-UserPolicy' = $null

I tried it, but now i get this errer:

Set-ADUser : Cannot validate argument on parameter 'Replace'. The argument is null or an element of the argument collection contains a null value.
At C:\Users\XXXX\OneDrive - JP-Politikens Hus\Work\PS\SfB\ADUser-Clear-multi-Attribute-multi-users_exprimental.ps1:21 char:57
+   Set-ADUser -Identity $($user.SamAccountName) -Replace @{
+                                                         ~~
    + CategoryInfo          : InvalidData: (:) [Set-ADUser], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.ActiveDirectory.Management.Commands.SetADUser

Try to execute it in PowerShell ISE.

You can’t set AD attribute to “null” in that way - it must be “cleared”. Also, I found that in our environment, the msRTCSIP attributes have quite different names.

My preferred method was to simply find all the msRTCSIP attributes in the account (since they all have the same prefix, why not) and clear them. It’s hitting AD three times rather than just twice, but the first is just to compile the user list - intelligent filters will help.

The only tricky part was that the attributes are “NoteProperty” types - all we wanted was the attribute names and not the values.

$users = Get-ADUser -Filter * -SearchBase "OU=Disabled Users..."
foreach ( $u in $users) {
    $RTCprops = (Get-ADUser $u | Select "msRTCSIP*") | select -expandproperty name
    Set-ADUser $u -Clear @($RTCprops)