Set and Get AD-Computer extensionattribute in powershell

Question

Hi,

I found how to set an extension attribute for a computer
First it must be cleared
Set-ADcomputer –Identity computername -Clear "extensionAttribute15"

Then I can fill it
Set-ADcomputer -Identity computername -Add @{extensionAttribute15 = "anystring"}

It becomes tricky when I then try to extract
$value = Get-ADcomputer -identity KRKL0590 -Properties extensionAttribute15 | Select-Object extensionAttribute15

$value
@{extensionAttribute15=12/06/2021 00:00:00} (my script actually pushed a date in me extensionAtribute15)

$value.extensionAttribute15
gives nothing.

It looks like a hash but I can't manipulate it like it, it would seem.
I don't find how to extract only the value of extensionAttribute15.

Any help appreciated.

Thank you.

Answer 1

The code is this one at the moment. There are other corrections to do I know.

$ComputersWithManagedBy = get-adcomputer -ldapfilter '(managedby=*)' -properties name, managedby | select-object name, managedby

$currentday = (Get-Date).ToUniversalTime()  
$validedate = (Get-Date).adddays(7).ToUniversalTime()        

Foreach ($CPT in $ComputersWithManagedBy){

    $ExpiryDate = Get-ADcomputer -identity $CPT -Properties extensionAttribute15 | Select-Object extensionAttribute15

    #struggling here with the date format
    if ($ExpiryDate -gt $validedate){
    Write-Host "Date is more than 7 days. Correcting to within 7 days. Maximum accepted value."
    Set-ADcomputer –Identity $CPT -Clear "extensionAttribute15"
    Set-ADcomputer -Identity $CPT -Add @{extensionAttribute15 = "$validedate"}
    }elseif($ExpiryDate -le $currentday ) {
            write-host "Emptying Managed by field"
            #some code
        }else{ 
            write-host "Date is inferior we don't take action"

    }
}

Answer 2

Your first problem is on line #8. When you use the "Select-Object" cmdlet the object that's returned is a PSCustomObject with a NoteProperty named "extentionAttribute15". To get the actual value you'd use $ExpiryDate.extentionAttribute15. You can get the actual value (without the creation of a PSCustomObject) by doing this: Select-Object -Expand extentionAttribute15.

The next problem is on line #11. Even by using the "-Expand" technique you're left with a string value, not a DateTime object in $ExpiryDate. Comparing dates using strings is subject to quite a few problems that lead to inaccuracies and incorrect results. You should cast $ExpiryDate as a "[DateTime]" object.

Line #14 should 1) remove the surrounding quotation marks from the $validedate, and 2) you should probably drop the time portion of the $validedate object before you store it: $validedate.Date.ToString("MM/dd/yyyy") -- unless the time of day is important (which it probably isn't).

Answer 3

Hi Rich,

thank you so much for all this. I will review and come back to you.

There was another issue on line 8. $CPT.name in Get-ADComputer

I also had to deal with potential empty value.

Here is the corrected and working script. Thank you so much. I'll later had a test for searching "NEVER" string in my attribute. And make it run on multiple domains :)

$ComputersWithManagedBy = get-adcomputer -ldapfilter '(managedby=*)' -properties name, managedby, extensionAttribute15 | select-object name, managedby, extensionAttribute15

$currentday = (Get-Date).ToUniversalTime()  
$validedate = (Get-Date).adddays(7).ToUniversalTime()        

Foreach ($CPT in $ComputersWithManagedBy){

    $ExpiryDate = Get-ADcomputer -identity $CPT.name -Properties extensionAttribute15 | Select-Object -expand extensionAttribute15

    if(!$ExpiryDate){
    Write-Host "Null not allowed. Correcting to within 7 days. Maximum accepted value." -ForegroundColor DarkRed
    Set-ADcomputer –Identity $CPT.name -Clear "extensionAttribute15" -WhatIf
    Set-ADcomputer -Identity $CPT.name -Add @{extensionAttribute15 = $validedate.Date.ToString("MM/dd/yyyy")} -whatif
    } else {
    [datetime]$ExpiryDate 

        if ($ExpiryDate -gt $validedate){
        Write-Host "Date is more than 7 days. Correcting to within 7 days. Maximum accepted value." -ForegroundColor Red
        Set-ADcomputer –Identity $CPT.name -Clear "extensionAttribute15" -WhatIf
        Set-ADcomputer -Identity $CPT.name -Add @{extensionAttribute15 = $validedate.Date.ToString("MM/dd/yyyy")} -WhatIf
        }elseif($ExpiryDate -le $currentday ) {
                write-host "Emptying Managed by field for $($CPT.name)" -ForegroundColor Yellow
                #some code
            }else{ 
                write-host "Date is inferior to 7 days we don't take action for $($CPT.name)" -ForegroundColor Green
        }#end if
    }#end if
}#end foreach

Answer 4

Why would the "name" property of a computer object be empty? And why, it you found one, would you want to use an empty value as the identity value in Get-ADComputer? I'm not even sure I understand why you're using a Select-Object cmdlet on line #1 -- the computer objects returned by the Get-ADComputer have the properties you need.

Line #8 wouldn't need the Get-ADComputer cmdlet if you removed the Select-Object from line #1 because you'd be working with a computer object in the $CPT variable. All you'd need would be the "$ExpiryDate =Select-Object -Expand expansionAttribute 15".

I think you're confusing the "$CPT.name" being empty with $ExpiryDate not being populated.

For your how-to question about dates, try something like this:

$ExpiryDate = "Eyjafjallajökull"
Try{
    $ExpiryDate = [DateTime]$ExpiryDate
}
Catch{
    $ExpiryDate = (Get-Date).AddDays(90).Date.ToString("MM/dd/yyyy")
}
$ExpiryDate

Answer 5

What I check for emptiness or wrong value is the extensionattribute15

I'll review all you comment and try to improve my code. thank you