Export hexadecimal AD extended attribute collection

Someone Who loves giraffes 21 Reputation points

Something I 've been trying to do for a short while and perhaps someone here can help out
AD extended attributes stored as a collection are in a binary format and can't be exported using export-csv and the like

[What I need]
I'm looking for a script and/or clues on how to go about exporting AD user extended attribute collection data in hexadecimal rather than converted decimal into an excel spreadsheet

Get-ADUser -Properties x500uniqueidentifier -Filter * | Select sAMAccountName, x500uniqueidentifier |fl

1: Listing the data in powershell
the example does not provide the data in hexadecimal but rather the converted decimal data from within the collection data (try it and you'll see what I mean)

[Update the export is working but wrong data type - see update01 below]
2: Attempting to export the data to csv by appending | export-csv <some_path>
even if it could provide the data, an export wouldn't work and would instead show "Microsoft.ActiveDirectory.Management.ADPropertyValueCollection" even if the value wasn't present for the object, a non-null value/populated.

[Update01]: Changing the encoding fixes the export issue so now I'm focused on obtaining raw hex rather than converted decimal
get-aduser <someuser> -Properties *| select name, @{n='x500uniqueIdentifier';e={[system.text.encoding]::ascii.GetString([system.text.encoding]::unicode.GetBytes($($_.x500uniqueIdentifier)))}} | export-csv <somepath>

any ideas would be appreciated. Thank you

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,228 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,458 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,566 questions
0 comments No comments
{count} votes

4 additional answers

Sort by: Most helpful
  1. Rich Matheisen 45,831 Reputation points

    The LDAP type is defined as "bitstring", but I don't know how that's defined by PowerShell.

    Maybe having the object type would help:

    $b = Get-ADUser -Properties x500uniqueidentifier -Filter "some filter-value-for one user"  
    $b | Format-Hex  
    $b | format-hex -Encoding Unicode  

    Also, have a look at the .Net System.Convert class. Can the property be converted to a byte array?

    1 person found this answer helpful.
    0 comments No comments

  2. Rich Matheisen 45,831 Reputation points

    I still haven't found an example of the "bitstream" encoding, but I think it may correspond to the ADS Type "ADSTYPE_OCTET_STRING". If that's true, the encoding would be described in the LDAP BER (Basic Encoding Rules): Basic%20Encoding%20Rules.

    The value would begin with the hex value identifying the element type. In this case it would be a 0x04. Following that would be the length of the value (in octets/bytes). Following that would be the string value. That value will be the binary encoding of each octet/byte. However, the octets/bytes may, or may not, represent human-readable data.

    The property x500uniqueIdentifier is defined as a multi-valued property. So, within the bitstring, after ignoring the leading 0x04, the next octet/byte would define the length of the 1st bitstring. To get the next value (if there is one), skip ahead that many octets/bytes to find the byte signifying the length of the next bitstring. Continue that process until you reach the end of the string.

    1 person found this answer helpful.
    0 comments No comments

  3. Rich Matheisen 45,831 Reputation points

    Assuming(!) that you have a string with the bitstring in it, this should get you the hex value:

    $s = "X"  
    for ($i=0; $i -le $h.length; $i++){  
        $s += "{0:x2}" -f [System.Convert]::ToUInt16($h[$i])  

    If the value of the data was "hello! (in ASCII), preceded by the type identifier (X04) and the string length (X06), the output would look like this:


    If you don't want the leading "X", set the value of $s to an empty string.

    1 person found this answer helpful.
    0 comments No comments

  4. Someone Who loves giraffes 21 Reputation points

    Pradeep's answer works, thank you!
    Thank you Rich M. for your assistance with coming up with a solution, great work! Have a safe and wonderful Thanksgiving

    0 comments No comments