Object Attribute Manipulation

When working with objects in Active Directory and Exchange Server with PowerShell changing an attribute may not be as easy as specifying a parameter for a particular PowerShell cmdlet. The object attribute might not be easily manipulated or it might contain multiple values. Thus knowing what you are manipulating might be just as important as what needs to be added or removed from the existing attribute.

Example One

Ok. That was a bit cryptic, so we’ll start off with something ‘easy’. A common request I get from clients is how to we add an email address to an existing mailbox? The attribute to be manipulated is the ‘ProxyAddresses’ attribute in Active Directory. If we review the Set-Mailbox cmdlet we see that there is no attribute call this, but there is one called EmailAddresses and it specifically states that is it a collection:

Lower in the Get-Help for the cmdlet, there is guidance on how to properly manipulate this field:

We that means we need to operate with care. If we simple specify one address like so:
[sourcecode language=”powershell”]
Set-Mailbox Damian -EmailAddresses "Damian@PracticalPowerShell.com"
[/sourcecode]
Then we end up wiping out all previous values on this field without care. However, if that was not our intent, we need to change our code. If we are simply adding one new address, then:
[sourcecode language=”powershell”]
Set-Mailbox Damian -EmailAddresses @{Add="Damian@PracticalPowerShell.com"}
[/sourcecode]
To remove, we follow a similar syntax:
[sourcecode language=”powershell”]
Set-Mailbox Damian -EmailAddresses @{Remove="Damian@PracticalPowerShell.com"}
[/sourcecode]
What if we need to perform a more complex task. Say there is an old SMTP domain that was assigned to some mailboxes and this needs to be removed from the emailaddresses field? You would need
to be able to check each one and only when a match was found to then remove the email address with the old SMTP domain. Code similar to this could be used:
[sourcecode language=”powershell”]
$OldDomain = "*retrotoys.com"
$EmailAddresses = (Get-mailbox damian).EmailAddresses
Foreach ($EmailAddress in $EmailAddresses) {
If ($EmailAddress -like $OldDomain) {
Set-Mailbox Damian -EmailAddresses @{Remove="$EmailAddress"}
}
}
[/sourcecode]
Example Two

Another request we might get is how to add an IP address to a Receive Connector to allow for additional applications, servers or scripts to relay email through an Exchange Server. In this case, the items are stored as an array of IP addresses on the connectors. We first need to know the data type for RemoteIPRanges. We can get this from the Get-Help for the Set-ReceiveConnector cmdlet:
[sourcecode language=”powershell”]
-RemoteIPRanges <MultiValuedProperty>
[/sourcecode]
This means it is also a list of values similar to the EmailAddresses in the previous example. We need to be able to copy these values and transfer them to a new connector. Let’s gather the value range into a variable that is named appropriately:
[sourcecode language=”powershell”]
$RemoteIPRanges = ( Get-ReceiveConnector "Server1\connector" ).RemoteIPRanges
[/sourcecode]
Now that we have these we can then create a new connector with the exact same range:
[sourcecode language=”powershell”]
New-ReceiveConnector "New Connector" -Server Server2 -Bindings 0.0.0.0:25 -RemoteIPRanges $RemoteIPRanges
[/sourcecode]
This not only saves us time, but also saves us from our own tyops ensuring accuracy as well.

Example Three

Now in the above examples we have manipulated values that have parameters that were predefined in the PowerShell cmdlets of Set-Mailbox and New-ReceiveConnector. However, what if we want to change an attribute that the PowerShell cmdlet (say Set-ADUser) does not have a parameter. How can we make that change?

Let’s take for example a series of attributes that are not exposed in PowerShell directly. These can be seen in this screenshot:

These are all valid AD attributes, but we are unable to use a parameter for Set-ADUser in order to manipulate these values. However, there is a ‘Add’ parameter that is built for this. So in order to add a value to these attributes we use this syntax:

[sourcecode language=”powershell”]
Set-ADUser Damian -Add @{OtherMobile='312-555-1212'}
[/sourcecode]
Conversely, we can remove these values like so:
[sourcecode language=”powershell”]
Set-ADUser Damian -Remove @{OtherMobile='312-555-1212'}
Set-ADUser also has -Clear and -Replace operators that can be used as well.
[/sourcecode]
Further Reading

https://docs.microsoft.com/en-us/powershell/module/activedirectory/set-adobject?view=winserver2012-ps
“-Add
Specifies values to add to an object property. Use this parameter to add one or more values to a property that cannot be modified using a cmdlet parameter. To modify an object property, you must use the LDAP display name. You can specify multiple values to a property by specifying a comma-separated list of values and more than one property by separating them using a semicolon.”

Related Post

A Good EndingA Good Ending

Like all good scripts, starting off well should be reciprocated with a good ending as well. What does that mean? Think processing, cleanup, ending transcripts, truncating log files and more.