Setting msExchExtensionCustomAttributes a security [SOLVED]

by John.A.Mello at 2013-04-08 12:29:19

I recently received a request to create a security group that grants users remote access in emergency situations, but the user must be removed after 5 days. Originally we were using a PowerShell script that would save this information in a CSV file and update it every time it runs. Once the user is marked as being in the group for more than 5 days in the CSV file the user is removed from the group.

Now that I got my second request for an additional group I was thinking of using one of the Exchange custom multi value attributes (msExchExtensionCustomAttribute1) to store this information instead, but I can’t figure out how to do so via PowerShell. I can add values to any of the 5 attributes for the security group in Active Directory Users and Computer, but can’t set them in PowerShell. I can do so for users using
Set-Mailbox John.Doe –ExtensionCustomAttribute1 $GROUPS
but it would be easier to store this info with the group and not the members of the group. Any ideas or can this not be done with security groups?
by DonJ at 2013-04-09 23:43:42
There’s a lot of inconsistency in the cmdlets in terms of being able to access nonstandard attributes. This is, of course, purely an AD thing, not an Exchange thing. You might consider trying the Quest AD cmdlets (free), which are a bit “dumber” in that they don’t pretend to know what attributes exist, and so they actually ask the domain (which is what a command OUGHT to do). I find they’re better able to access odd attributes.

I’m also pinging Kirk Munro - he’s worked with the Quest cmdlets a lot and might be able to offer some additional advice.
by kittH at 2013-04-10 05:26:20
If I understand you just want to set the msExchExtensionCustomAttribute1 field for a group, Don is exactly right you can do it with the Quest cmdlets.

Set-QADGroup -Identity “GroupName” -ObjectAttributes @{msExchExtensionCustomAttribute1=“Test”}
by John.A.Mello at 2013-04-10 05:32:18
I was able to do it with the Quest cmdlets and if I mail-enable a security group I can use Set-Distribution -ExtensionCustomAtrribute1 to set the the custom attributes. I was just looking for a way to do it without either, if that’s not the case then no worries!.
by gpduck at 2013-04-10 05:37:28
If the Microsoft ActiveDirectory module is an option, then the Set-ADGroup cmdlet will set arbitrary values with the Add/Remove/Replace parameters.

Set-ADGroup -Identity SomeGroup -Add @{msExchExtensionCustomAttribute1=“SomeValue”}

There is also Set-ADObject that has Add/Remove/Replace parameters that can be used to change arbitrary attributes on arbitrary AD object types.
by John.A.Mello at 2013-04-10 07:00:32
That works gpduck, Thanks! I was able able to retrieve the objects as well by using
(Get-ADGroup SomeGroup -Properties msExchExtensionCustomAttribute3).msExchExtensionCustomAttribute3
Now hopefully I can get the script to work like I want it to!