Clearing AD User properties

Suppose for some reason you need to clear the properties of a bunch of users, how would you go about doing that? I’ll give you a hint, you’ll need the Set-ADUser cmdlet.

I recently discovered that Set-ADUser has a -Clear parameter, go figure! Turns out to clear an attribute you need to use the LDAPDisplayName… Ok, so what does that mean?

So you know that Set-ADUser has the -City parameter right? Well the LDAPDisplayName for -City is ‘l’. What this means is to clear -City, you’d have to refer to City by it’s LDAPDisplayName ‘l’…

To clear -City the command would be Set-ADUser -Identity ‘UserName’ – Clear ‘l’ and not ‘City’ as you would expect… Hmmm…

So what you’re saying it that I need to translate the Set-ADUser parameters to the LDAPDisplayName in order to clear the value? Pretty much! Do I have an alternative? Well I’m glad you asked!!!

Ok, for those of you that don’t know this I LOVE to splat!!! Really? Yes I do!!!

I’ve talked about Translating CSV Headers to usable parameters in order to splat. A workaround for the LDAPDisplayName would be to use -ParameterName $NULL.

So to clear City attribute use Set-ADUser -Identity ‘UserName’ -City $null

Here’s the code. The main part is where the user’s property is set to $null. Ok I also talked about the DRY principal and my csv Header issue… I’m sure you’ll get the point I’m trying to get across… 😉

#region: csvUsers
$csvUsers =
UserID nieuw,LoginNaam Nieuw,Personeelsnummer,VoorNaam,AchterNaam,Afdeling,Bedrijf, PostCode,StraatNaam,Stad,LocationCode
150131,150131,150131,John,Wayne,IT,Acme,1222 XX,Elmstreet 26,Sciencefiction,1X
150141,150141,150141,Jane,Doe,HR,Acme,1222 XX,Elmstreet 26,Sciencefiction,2X
150211,150211,150211,Jack,Swift,IT,Acme,1222 XX,Elmstreet 26,Sciencefiction,3X
150211,150211,150211,James,Bond,CEO,Acme,0007 XX,Elmstreet 26,Sciencefiction,
"@ |
ConvertFrom-Csv -Delimiter ','

#region: HashTable to translate csv Header
$hshHeader =@{
   'UserID nieuw' = 'SamAccountName'
   Personeelsnummer = 'EmployeeID'
   VoorNaam = 'GivenName'
   AchterNaam = 'SurName'
   Afdeling = 'Department'
   Bedrijf = 'Company'
   PostCode = 'PostalCode'
   StraatNaam = 'StreetAddress'
   Stad = 'City'

#region: Main
foreach ($user in $csvUsers) {
   $UserProperties = @{}

   foreach ($property in $hshHeader.Keys) {
      #Set user property to $null
      $UserProperties += @{$($hshHeader[$property])=$null}

   #Add the hash Key Identity to the table. Identity key value equals SamAccountName
   $UserProperties.Add('Identity', $user.'UserID nieuw')

   #Remove the hash  Key SamAccountName. This cannot be cleared as it is mandatory

   #Clear User
   try {
      Write-Verbose "Clearing user property values of user $($UserProperties.Identity)"
      Set-ADuser @UserProperties -PassThru
   catch {
      Write-Error "Something went wrong clearing user $($UserProperties.Identity) properties"

My first attempt was to use -SamAccountName to identify the user, you need to use -Identity. No Identity in the csv? No problem! just add it as you go along… Ain’t splat grand… Hehe…

Of course you’re not allowed to clear the SamAccountName, it’s mandatory so I removed it from the hashtable $UserProperties.

This approach has the added value that if the same csv is used to populate the user’s attributes, only those attributes will be cleared. May not seem like a big deal now, but imagine some other process manipulating attributes as well… Ofcourse if they are the same well… You get the picture…

So there you have it, clearing user attributes with Set-ADUser without using -Clear and LDAPDisplayName.

Hope it’s worth something to you…




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s