Share via

Help on powershell script

Glenn Maxwell 13,346 Reputation points
2025-07-07T05:06:09.46+00:00

Hi All,

I have an IAM tool that has populated the extensionAttribute1 attribute for all users in Active Directory. For example, here are a few users and their corresponding extensionAttribute1 values:

User1: extensionAttribute1 is CW 
User2: extensionAttribute1 is Regular  
User3: extensionAttribute1 is SP

I want to execute a PowerShell command based on these values. For example:
Set-ADUser -Identity user1 -Add @{extensionAttribute1="CW"}
Set-ADUser -Identity user2 -Add @{extensionAttribute1="Regular"}
Set-ADUser -Identity user3 -Add @{extensionAttribute1="SP"}

In the above commands, I am explicitly setting the value because I already know it. However, I am looking for a script that can:

Fetch the value of extensionAttribute1 for all users.

Execute the required logic based on that value.

Exclude users who do not have a value set for extensionAttribute1.

I plan to schedule this script to run daily using Task Scheduler.

Please guide me.

Windows for business | Windows Server | Directory services | Active Directory
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. FIRAT BOYAN 380 Reputation points Microsoft External Staff
    2026-02-24T10:20:41.3+00:00

    You do not need to hardcode any values. The clean approach is to query all users where extensionAttribute1 is populated, then run your logic based on the value.

    First load the Active Directory module:

    Import-Module ActiveDirectory

    Then retrieve only users that have extensionAttribute1 set. This automatically excludes empty values:

    $Users = Get-ADUser -Filter { extensionAttribute1 -like "*" } -Properties extensionAttribute1

    Now process each user according to the attribute value:

    foreach ($User in $Users) {

    if ($User.extensionAttribute1 -eq "CW") {

    Write-Output "Processing CW user $($User.SamAccountName)"

    # CW logic here

    }

    elseif ($User.extensionAttribute1 -eq "Regular") {

    Write-Output "Processing Regular user $($User.SamAccountName)"

    # Regular logic here

    }

    elseif ($User.extensionAttribute1 -eq "SP") {

    Write-Output "Processing SP user $($User.SamAccountName)"

    # SP logic here

    }

    If you need to update something based on the value, place Set-ADUser inside the relevant block. Example:

    Set-ADUser -Identity $User -Replace @{department = "Operations"}

    For daily scheduling:

    1. Save the script as C:\Scripts\ProcessExtensionAttribute.ps1
    2. Create a Scheduled Task
    3. Run whether user is logged on or not
    4. Use highest privileges
    5. Program: powershell.exe
    6. Arguments: -ExecutionPolicy Bypass -File "C:\Scripts\ProcessExtensionAttribute.ps1"

    Make sure the account running the task has permission to read and modify user objects.

    This design:

    Reads extensionAttribute1 dynamically Excludes users with empty values Applies logic based on the actual attribute value Is safe to run daily.

    If this resolution has been helpful, I kindly request that you take a moment to click on

    ACCEPTED-ANSWER and select “Yes” to indicate that the response was helpful. Should you have any further questions or require additional assistance, please do not hesitate to let me know.

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.