Wildcards..

adam-nichols · July 18, 2014, 11:57pm

Hi All,

So i’ve just finished the MVP Powershell course and figure i should put it too good use. Nothing better than practise, right?

We’ve moved our Exchnage services to O365 and i’ve been tasked with removing X500 / x500 (both are present) values from the “proxyAddresses” attribute for all users.

So, I’ve been able to remove an individual value from an individual AD Account using this;

Set-ADUser -Identity "username" -Remove @{proxyAddresses="x500Value"}

However, their are two values for each user. So i’d like to say;

Set-ADUser -Identity * -Remove @{proxyAddresses="*500*"}

This does run without error but doesn’t remove anything. I’m assuming that this is because it’s recognising the ‘wildcard’ (in proxyAddresses value) as a character instead of a ‘wildcard’ in the value but i’ve no idea what to do about it.

All help much appreciated.

Adam

donj · July 19, 2014, 12:38am

AD itself doesn’t recognize wild cards, and it’s the one processing the operation. There’s nothing you can do about it; it’s a limitation of the technology.

adam-nichols · July 19, 2014, 12:50am

Hi Don,

Thanks for your response. Please don’t take this as anything other than my attempt to understand (i’ve a long curve ahead of me i think).

If i enter PSSession with DC and run;

Get-ADUser *

= This outputs every user object in my environment which would indicate it had recognised the 'wildcard'? Or is something else processing this?

Thanks,
Adam

system · July 19, 2014, 1:17am

Certain parameters support wildcards. That * that you passed to Get-ADUser happens to be assigned to its “Filter” parameter, which does.

However, you can’t just stick wildcards anywhere you like. The -Identity parameter to Set-ADUser and the values in the hashtable that you pass to -Remove probably don’t do any sort of wildcard matching (though I haven’t tested that myself.) That doesn’t mean that you can’t conceptually make this work, just that it takes more work on your part. You need to have a script which fetches one or more users, looks through their proxyAddresses attribute for matching values, and removes them explicitly. Something like this (again, not tested; I don’t have an AD environment up on my home lab at the moment. Remove the -WhatIf parameter from the Set-ADUser command once you’re confident it’s doing the right thing.)

$users = Get-ADUser * -Properties proxyAddresses
foreach ($user in $users)
{
    $addressesToRemove = @($user.proxyAddresses) -like '*500*'
    if ($addressesToRemove.Count -gt 0)
    {
        Set-ADUser -Identity $user.DistinguishedName -Remove @{proxyAddresses = $addressesToRemove} -WhatIf
    }
}

Note: It may be possible to speed this up by filtering the Get-ADUser command with something like -Filter ‘ProxyAddresses -like “500”’ , but since I can’t test that at the moment, I went something that I was confident should work.

adam-nichols · July 19, 2014, 1:33am

Hi Dave,

Thank you for taking the time to respond to the question, scary stuff this PowerShell and there’s only so much you can pull from Google and Help files…

I shall test this (and break down the function so i understand a bit better) and will post back here to let you know how i get on. Assuming you’re interested!

Thanks Again,
Adam

adam-nichols · July 21, 2014, 6:20am

Hi Guys,

As promised, I got back in to the office today and tried this out.

Dave - Thanks very much, did the trick. The only change i had to make, ironically, is that i had to specify “*” as a ‘-Filter’!

So workable script turned out as;

 $users = Get-ADUser -Filter * -Properties proxyAddresses
foreach ($user in $users)
{
    $addressesToRemove = @($user.proxyAddresses) -like '*500*'
    if ($addressesToRemove.Count -gt 0)
    {
        Set-ADUser -Identity $user.DistinguishedName -Remove @{proxyAddresses = $addressesToRemove}
    }
}

Thanks for all your help! Much appreciated.

Adam