delete/clear AD attribute value if attribute contains value like val*-CodePudding

Good Day!

I want to clear a specific values of AD attribute which is called aaccountroles the concept like this: if this attribute "aaccountroles" contains values that start with "S4P any" which means S4P*, it should remove the values like this

screen of an attribute in AD

import-csv -Path .\test.csv | foreach{Set-ADUser $_.sAMAccountName -Clear aaccountroles}

this script clear all values, but I want to clear specific values my test.csv file

and I tried to create this scrip:

import-csv -Path .\test.csv | foreach{Set-ADUser $_.sAMAccountName -Clear @{aaccountroles="S4P*"}

but it gave an error

Set-ADUser : The specified directory service attribute or value does not exist Parameter name: System.Collections.Hashtable At line:1 char:39

... v | foreach{Set-ADUser $_.sAMAccountName -Clear @{aaccountroles="S ...
```
            ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
```
- CategoryInfo : InvalidArgument: (test.user1:ADUser) [Set-ADUser], ArgumentException
- FullyQualifiedErrorId : ActiveDirectoryCmdlet:System.ArgumentException,Microsoft.ActiveDirectory.Management.Commands.SetADUser

CodePudding user response：

The -Clear parameter of Set-ADUser expects a string or string array, not a hashtable.

You need to first find the user that has that attribute like 'S4P*' and if found clear that property:

Import-Csv -Path .\test.csv | ForEach-Object {
    $user = Get-ADUser -Filter "SamAccountName -eq '$($_.sAMAccountName)' -and aaccountroles -like 'S4P*'" -Properties aaccountroles -ErrorAction SilentlyContinue
    if ($user) {
        Write-Host "Clearing the aaccountroles attribute for user $($user.Name)"
        $user | Set-ADUser -Clear aaccountroles
    }
}

^{Using -Remove, -Add, -Replace or -Clear with Set-ADUser, you must use the LDAP display name. I prefer to also use the correct LDAP casing, so if that property is called aaccountRoles (with capital R), it can help to do that here too}

It wasn't clear to me you wanted to empty the attribute completely (as the above does) of just taking out the items starting with ''S4P'..

Assuming the aaccountroles is an array:

Import-Csv -Path .\test.csv | ForEach-Object {
    $user = Get-ADUser -Filter "SamAccountName -eq '$($_.sAMAccountName)' -and aaccountroles -like 'S4P*'" -Properties aaccountroles -ErrorAction SilentlyContinue
    if ($user) {
        $roles = @($user.aaccountroles | Where-Object { $_ -match '\S' -and $_ -notlike 'S4P*' })
        if ($roles.Count) {
            Write-Host "Removing the 'S4P*' aaccountroles items for user $($user.Name)"
            $user | Set-ADUser -Replace @{aaccountroles = [string[]]$roles}
        }
        else {
            Write-Host "Clearing the aaccountroles attribute for user $($user.Name)"
            $user | Set-ADUser -Clear aaccountroles
        }
    }
}

Assuming that attribute is a multiline string, not an array, you can do:

Import-Csv -Path .\test.csv | ForEach-Object {
    $user = Get-ADUser -Filter "SamAccountName -eq '$($_.sAMAccountName)' -and aaccountroles -like 'S4P*'" -Properties aaccountroles -ErrorAction SilentlyContinue
    if ($user) {
        # split the multiline string into an array and filter out the items that do not start with 'S4P'
        $roles = @($user.aaccountroles -split '\r?\n' | Where-Object { $_ -match '\S' -and $_ -notlike 'S4P*' })
        if ($roles.Count) {
            Write-Host "Removing the 'S4P*' aaccountroles items for user $($user.Name)"
            # rejoin the left over array items into a multiline string
            $newRoles = $roles -join [environment]::NewLine
            $user | Set-ADUser -Replace @{aaccountroles = $newRoles}
        }
        else {
            Write-Host "Clearing the aaccountroles attribute for user $($user.Name)"
            $user | Set-ADUser -Clear aaccountroles
        }
    }
}