Set-ADUser : Cannot find an object with identity: 'System.DirectoryServices.DirectoryEntry.DistinguishedName' (Network Steve Forum)

Set-ADUser : Cannot find an object with identity: 'System.DirectoryServices.Director yEntry.DistinguishedName'

Hi,

I've based a small amount of Powershell code off the code I've found here: http://halfloaded.com/blog/powershell-using-posh-to-search-across-multiple-domains-in-forest/

The function enumerates the domains in the forest, matches one if it finds the keyword "giraffe" then attempts to clear extensionAttribute8. The issue looks to be a mismatch in object types but I can't figure out how to fix it.

Please help!

cls
# Find forest
$objForest = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()

# Find Domains
$DomainList = @($objForest.Domains | Select-Object Name)

# Split into full domain names
$Domains = $DomainList | foreach {$_.Name}

# Act on each domain
foreach($Domain in ($Domains))
{
	$ADsPath = [ADSI]"LDAP://$Domain"
	$objSearcher = New-Object System.DirectoryServices.DirectorySearcher($ADsPath)
	
	# Filter based on LDAP syntx
	$objSearcher.Filter = "SamAccountName=davetestuser"
	$objSearcher.SearchScope = "Subtree"
	$colResults = $objSearcher.FindAll()
 
	foreach ($objResult in $colResults)
	{
        	$userDomain = $objResult.GetDirectoryEntry()
	        if ($userDomain.DistinguishedName -match "giraffe"){
		        Set-ADUser -identity "$userDomain.DistinguishedName" -clear extensionAttribute8 errorvariable SetADUserClearArchiveCodeErr
        	}     
	}
}

It errrors with:

Set-ADUser : Cannot find an object with identity: 'System.DirectoryServices.DirectoryEntry.DistinguishedName' under:
'DC=giraffe,DC=co,DC=uk'.
At C:\tempLoopingThroughDomains.ps1:26 char:9
+ Set-ADUser -identity "$userDomain.DistinguishedName" -clear extensionAtt ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (System.Director...stinguishedName:ADUser) [Set-ADUser], ADIdentityNotFoundException
+ FullyQualifiedErrorId : Cannot find an object with identity: 'System.DirectoryServices.DirectoryEntry.DistinguishedName' under: ''DC=giraffe,DC=co,DC=uk''.,Microsoft.ActiveDirectory.Management.Commands.SetADUser

January 20th, 2014 6:31pm

When you're trying to embed an object's properties into a string, you need to use a sub-expression, like so:

"$($userDomain.DistinguishedName)"

However, in this case, there's no need to use the double quotes at all, since the string is only going to contain the Distinguished Name anyway. You can just do this:

Set-ADUser -identity $userDomain.DistinguishedName -clear extensionAttribute8 errorvariable SetADUserClearArchiveCodeErr

Free Windows Admin Tool Kit Click here and download it now

January 20th, 2014 6:49pm

I'm afraid it still errors:

Set-ADUser : Cannot convert 'System.DirectoryServices.PropertyValueCollection' to the type 'Microsoft.ActiveDirectory.Management.ADUser' required by parameter 'Identity'. Specified method is not supported.

I read this to be the object $userDomain isn't the type of object set-aduser expects although I don't really know!

Edited by David4576 Monday, January 20, 2014 6:54 PM

January 20th, 2014 6:52pm

I'm afraid it still errors:

Set-ADUser : Cannot convert 'System.DirectoryServices.PropertyValueCollection' to the type 'Microsoft.ActiveDirectory.Management.ADUser' required by parameter 'Identity'. Specified method is not supported.

I read this to be the object $userDomain isn't the type of object set-aduser expects although I don't really know!

Edited by David4576 Monday, January 20, 2014 6:54 PM

Free Windows Admin Tool Kit Click here and download it now

January 20th, 2014 6:52pm

I'm afraid it still errors:

Set-ADUser : Cannot convert 'System.DirectoryServices.PropertyValueCollection' to the type 'Microsoft.ActiveDirectory.Management.ADUser' required by parameter 'Identity'. Specified method is not supported.

I read this to be the object $userDomain isn't the type of object set-aduser expects although I don't really know!

Edited by David4576 Monday, January 20, 2014 6:54 PM

January 20th, 2014 6:52pm

I suppose I can do something like this:

$userDomain.extensionAttribute8 = "2313"
$userDomain.SetInfo()

But then I don't get the useful switches like errorvariable.

Free Windows Admin Tool Kit Click here and download it now

January 20th, 2014 7:01pm

Can you post the code you're using now that you've made some corrections?

January 20th, 2014 7:26pm

I'm afraid it still errors:
Set-ADUser : Cannot convert 'System.DirectoryServices.PropertyValueCollection' to the type 'Microsoft.ActiveDirectory.Management.ADUser' required by parameter 'Identity'. Specified method is not supported.
I read this to be the object $userDomain isn't the type of object set-aduser expects although I don't really know!

Ah, right. The DirectoryEntry class gives you collections, even for properties that are single-valued. Try this instead:

Set-ADUser -identity $userDomain.DistinguishedName[0] -clear extensionAttribute8 errorvariable SetADUserClearArchiveCodeErr

Marked as answer by David4576 Monday, January 20, 2014 11:27 PM

Free Windows Admin Tool Kit Click here and download it now

January 20th, 2014 7:29pm

I'm afraid it still errors:
Set-ADUser : Cannot convert 'System.DirectoryServices.PropertyValueCollection' to the type 'Microsoft.ActiveDirectory.Management.ADUser' required by parameter 'Identity'. Specified method is not supported.
I read this to be the object $userDomain isn't the type of object set-aduser expects although I don't really know!

Ah, right. The DirectoryEntry class gives you collections, even for properties that are single-valued. Try this instead:

Set-ADUser -identity $userDomain.DistinguishedName[0] -clear extensionAttribute8 errorvariable SetADUserClearArchiveCodeErr

Marked as answer by David4576 Monday, January 20, 2014 11:27 PM

January 20th, 2014 7:29pm

I'm afraid it still errors:
Set-ADUser : Cannot convert 'System.DirectoryServices.PropertyValueCollection' to the type 'Microsoft.ActiveDirectory.Management.ADUser' required by parameter 'Identity'. Specified method is not supported.
I read this to be the object $userDomain isn't the type of object set-aduser expects although I don't really know!

Ah, right. The DirectoryEntry class gives you collections, even for properties that are single-valued. Try this instead:

Set-ADUser -identity $userDomain.DistinguishedName[0] -clear extensionAttribute8 errorvariable SetADUserClearArchiveCodeErr

Marked as answer by David4576 Monday, January 20, 2014 11:27 PM

Free Windows Admin Tool Kit Click here and download it now

January 20th, 2014 7:29pm

You're spot on - works a treat! Appreciate your time :)

January 20th, 2014 11:28pm

I have the same issue and if I use [0] it only processes the first entry. How do I handle multiple entries?

Free Windows Admin Tool Kit Click here and download it now

July 23rd, 2015 5:27pm

I have the same issue and if I use [0] it only processes the first entry. How do I handle multiple entries?

You need to start a new topic as this one has been closed for some time.

Chances are that PowerShell and AD have changed since this was posted.

July 23rd, 2015 5:47pm

This is also much easier to do like this:

$samAccountName='testuser'
[System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().Domains |
    ForEach-Object{
        Get-AdUser $samAccountName -Server $_.Name  |
            Set-Object -clear extensionAttribute8 
    }

Free Windows Admin Tool Kit Click here and download it now

July 23rd, 2015 5:58pm

To clear all users in all domains:

[System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().Domains |
    ForEach-Object{
        Get-AdUser -filter * -Server $_.Name  |
            Set-Object -clear extensionAttribute8 
    }

July 23rd, 2015 6:04pm

This topic is archived. No further replies will be accepted.