0

I am writing a script that contains this code:

Get-ADUser -Identity johndoe | Set-ADUser -Replace @{customattribute = 'yes'}

...and I am getting this error:

Set-ADUser : An attempt was made to modify an object to include an 
attribute that is not legal for its class
At line:1 char:61
+ Get-ADUser -Identity johndoe | Set-ADUser -Replace...
+                                                             
~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : NotSpecified: (CN=John 
Doe,DC=test,DC=local:ADUser) [Set-ADUser], ADException
+ FullyQualifiedErrorId : 
ActiveDirectoryServer:8317,
Microsoft.ActiveDirectory.Management.Commands.SetADUser

If I do a Get-ADuser instead, I am able to see the custom attribute and the value assigned to it. It is just when I try modifying it with set-ADuser that I get the error.

Get-ADUser johndoe -Properties customattribute | ft name,customattribute
name          customattribute
----          ---------------
John Doe      No

I've done research and a lot of troubleshooting, but have not been able to solve the problem. Does anyone have any advice?

Thank you!

Improve this question
2
  • Has this environment been restored from backup at some point? The error you're getting indicates a schema inconsistency (the kind of thing you'd definitely want to open a Microsoft support case for) Commented Jul 23, 2018 at 15:09
  • @MathiasR.Jessen I do not believe that this environment has been restored from backup. It is a VM that I test my scripts on before I use them on the actual network. Commented Jul 23, 2018 at 19:46

1 Answer 1

Reset to default
2

I would recommend checking if the Powershell attributes are defunct to troubleshoot if this could stem from schema issues.

The following Powershell command should give you a list of attributes on your ADObjects that are defucted. Check and see if your custom attribute is on this list:

$SchemaPath = (Get-ADRootDSE).SchemanamingContext
$DefunctAttributes = Get-ADObject -Filter {Isdefunct -eq $True} -Properties IsDefunct -SearchBase $SchemaPath | Select Name

If this is the case I would do as @Mathias R. Jessen suggest and open an MS ticket.

Edit
It is odd that it doesn't show up on the list. Have you checked that the attribute is actually part of the schema?

Running this command will show all schema attributes with a name containing "custom": 

$SchemaPath = (Get-ADRootDSE).SchemanamingContext
Get-ADObject -Filter * -Properties * -SearchBase $SchemaPath |select Name | Where-Object {$_.name -match "custom"}

Does your custom attribute show up on this list? If now it is missing from the schema somehow.

If it is, I am guessing some sort of corruption is going on and I would raise a ticket with Microsoft regardless.

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

I tried your code and my custom attribute did not show up on the list.
Do you know what datatype your customproperty has? You should be able to see this with: Get-ADUser johndoe -Properties customattribute | Get-Member Look for your attribute by name. Then under the definition it should say "string" if it is a text value.
it says "System.String customattribute {get;set;} " under Definition.
Added something to try in the answer.
The attribute is listed in the schema. I'll try the ticket and see what Microsoft says. Thank you for the help!

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.